[英]Split user name and password credentials
I have created the following WebMethod
in the back end of my application where the users login through the front end. 我在应用程序的后端创建了以下
WebMethod
,用户通过前端登录。
[WebMethod]
public String Login(String userName, String password)
{
OleDbConnection connect = new OleDbConnection(connection);
connect.Open();
OleDbCommand command = new OleDbCommand("Select * from login where userName='" + userName + "' and password ='" + password + "'", connect);
command.CommandType = CommandType.Text;
OleDbDataAdapter adapter = new OleDbDataAdapter();
adapter.SelectCommand = command;
DataSet NSNSet = new DataSet();
adapter.Fill(NSNSet);
string username = NSNSet.Tables[0].Rows[0]["firstName"].ToString() + NSNSet.Tables[0].Rows[0]["lastName"].ToString();
int userID = System.Convert.ToInt16(NSNSet.Tables[0].Rows[0]["UID"].ToString());
return username + "," + userID;
}
Currently, I have error handling in place which states - 目前,我已经在错误处理中指出了-
catch(Exception ex)
{
string error = System.Convert.ToString(ex);
if (error.Contains("There is no row at position 0"))
{
status.Text = "Incorrect Username/Password combination";
}
}
This works fine, however how could I aulter my code so that it brings back a more specific error, ie states if the userName
or password
specifically are incorrect? 这可以很好地工作,但是我该如何对我的代码进行错误处理,使其返回更具体的错误,即指出
userName
或password
是否不正确?
Don't give out to much details, just give a simple login error message, but don't say that username is incorrect or password is incorrect, cause a hacker can use that information 不要透露太多细节,仅给出简单的登录错误消息,但不要说用户名不正确或密码不正确,导致黑客可以使用该信息
a simple text saying login unsuccessful should be ok 简单的文字说登录失败应该可以
You should do like this: 您应该这样做:
public String Login(String userName, String password)
{
OleDbConnection connect = new OleDbConnection(connection);
connect.Open();
OleDbCommand command = new OleDbCommand("Select UID, firstName, lastName from login where userName=? and password =?", connect);
command.CommandType = CommandType.Text;
//to avoid sql injection
command.Parameters.Add(userName);
command.Parameters.Add(password);
OleDbDataAdapter adapter = new OleDbDataAdapter();
adapter.SelectCommand = command;
DataSet NSNSet = new DataSet();
adapter.Fill(NSNSet);
if (NSNSet.Tables[0].Rows.Count == 0)
return "Access denied";
string username = NSNSet.Tables[0].Rows[0]["firstName"].ToString() + NSNSet.Tables[0].Rows[0]["lastName"].ToString();
int userID = int.Parse(NSNSet.Tables[0].Rows[0]["UID"].ToString());
return username + "," + userID;
}
Or a better way, using DataReader for performance: 或者使用DataReader来提高性能:
public String Login(String userName, String password)
{
OleDbConnection connect = new OleDbConnection(connection);
connect.Open();
OleDbCommand command = new OleDbCommand("Select UID, firstName, lastName from login where userName=? and password =?", connect);
command.CommandType = CommandType.Text;
//to avoid sql injection
command.Parameters.Add(userName);
command.Parameters.Add(password);
OleDbDataReader reader=command.ExecuteReader();
if (reader.Read())
{
//that means there's at least one row
string username = reader["firstName"] + " " + reader["lastName"];
int userID = int.Parse(reader["UID"].ToString());
return username + "," + userID;
}
else
{
//no combination username-password found
return "Access denied";
}
}
First, this code is open to SQL injection. 首先,此代码可用于SQL注入。 Second, if you want to know specifically which element is incorrect, you have to break down your query into two components (ie. query username and password separately)
其次,如果您想具体知道哪个元素不正确,则必须将查询分为两个部分(即分别查询用户名和密码)
You can change you select query a little bit to this: 您可以对此进行一些更改:
"select * from login where userName='"+userName+"'";
if there is no row in DataSet then write 如果DataSet中没有行,则写入
Invalid UserName
and if user exist then check if password match or not if not match then write 如果用户存在,则检查密码是否匹配,如果不匹配,则写
Invalid Password
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.