[英]Can I use Environment.Username and MYSQL to verify log in?
private void btnSubmitt_Click(object sender, RoutedEventArgs e)
{
try
{
i = 0;
MySqlCommand cmd = con.CreateCommand();
cmd.CommandType = CommandType.Text;
cmd.CommandText = "Select * from users where TX_EMPLOYEE='"; (Environment.UserName) & "'";
DataTable dt = new DataTable();
MySqlDataAdapter da = new MySqlDataAdapter(cmd);
da.Fill(dt);
i = Convert.ToInt32(dt.Rows.Count.ToString());
}
catch
{
MessageBox.Show("Database connection is not available at this time. Please contact your database administrator ");
}
finally
{
con.Close();
}
I would like to authenticate the user with their computer login name and the exact match that is listed in the MYSQL data table.我想使用他们的计算机登录名和 MYSQL 数据表中列出的完全匹配来验证用户。 However Environment.Username is not a valid syntax in this SQL statement.
但是 Environment.Username 不是此 SQL 语句中的有效语法。
This line is very very wrong:这一行是非常非常错误的:
cmd.CommandText = "Select * from users where TX_EMPLOYEE='"; (Environment.UserName) & "'";
It should be this:应该是这样的:
cmd.CommandText = "Select * from users where TX_EMPLOYEE='" + Environment.UserName + "'";
Except, it shouldn't be like that because of SQL injection.除了,它不应该是那样的,因为 SQL 注入。 If I could make
Environment.UserName
into ' or 1 = 1 or TX_EMPLOYEE = '
then your final query would become this:如果我可以将
Environment.UserName
设为' or 1 = 1 or TX_EMPLOYEE = '
那么你的最终查询将变成这样:
Select * from users where TX_EMPLOYEE='' or 1 = 1 or TX_EMPLOYEE = ''
Which clearly isn't what you want - somebody with no credentials being able to access this.这显然不是您想要的 - 没有凭据的人可以访问它。 You should instead use SQL parameters:
您应该改用 SQL 参数:
cmd.CommandText = "Select * from users where TX_EMPLOYEE=?userName";
cmd.Parameters.AddWithValue("?userName", Environment.UserName);
On a separate note, I'm confused by this code:另外,我对这段代码感到困惑:
i = Convert.ToInt32(dt.Rows.Count.ToString());
DataTable.Rows.Count is already an int
, so you're converting a number to a string to a number. DataTable.Rows.Count已经是一个
int
,因此您要将数字转换为字符串再转换为数字。 Why?为什么?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.