我希望能够使用 id 或用户名验证登录表单，同时使用 c# 从 mysql 数据库中获取数据

Question

I am working on a project, so I decided to try some CRUD operations so as to be able to manipulate my database.

I already created a form to insert data into the database and it worked, but I am finding it difficult to create that of read .

public int login(string id, string name)
{
    MySqlDataReader dr;
    int i = 0;
    try
    {
        string query = "SELECT * FROM `all_data` WHERE admin_ID=@id and admin_Name=@name;
        open_conn();
        MySqlCommand cmd = new MySqlCommand(query,conn);
        cmd.Parameters.AddWithValue("@id", id);
        cmd.Parameters.AddWithValue("@name",name);
        dr = cmd.ExecuteReader();
        if (dr.HasRows)
        {
            while (dr.Read())
            {

            }
        }
    }
    catch(Exception ex)
    {
        MessageBox.Show(ex.Message);
    }

    return i;
}

This is where I got confused, as I want it to read from my database and check if it matches my inputs. If it matches, then it should perform an action.. maybe show a MessageBox saying "login successful".

Answer 1

First, don't build your query by concatenating the id and name directly. This would introduce a SQL injection vulnerability.

string query = "SELECT * FROM `all_data` WHERE admin_ID='"+id+ "' and admin_Name='"+name+"' ";

Instead, use a parameterized query.

string query = "SELECT * FROM `all_data` WHERE admin_ID=@id and admin_Name=@name";

cmd.Parameters.AddWithValue("@id", id);
cmd.Parameters.AddWithValue("@name",name);

Next, we just need to check if a record matches the inputs. Thus, we can change the query to below to see how many records match.

string query = "SELECT COUNT(*) FROM `all_data` WHERE admin_ID=@id and admin_Name=@name";

Finally, instead of ExecuteReader() we can use ExecuteScalar() to get the count. If the count is greater than 0, we know that there was a successful match.

int matchingRecords = (int).ExecuteScalar();
if (matchingRecords > 0) {
    // Logic for successful match
}