stackoom
  简体   繁体   中英

Validating username and password in a database in asp.net

 原文  2013-05-14 00:06:38       c#/ asp.net

Question

I am trying to create a login page. I have a database table called Login, and it has two columns: ID and Password. It has the following ID and Password pairs in it: First row:(13282,123456), Second Row:(11111,11111). If username and password is right, i redirect page to succesful.aspx, if either username or password is wrong, i redirect page to unsuccesful.aspx. My problem is, When i enter 13283 as ID and 123456 as password, it does everything right, i am redirected to succesful page. But when i enter ID=11111 and Password=11111 even though everything is true, it redirects to unsuccesful page. I think the problem is, my query only checks the first row. Here is the code: 

 protected void loginButton_Click(object sender, EventArgs e)
{

    SqlConnection con = new SqlConnection();
    con.ConnectionString = "Data Source=.\\SQLEXPRESS;Initial Catalog=University;Integrated Security=True;Pooling=False";


    Int32 verify;
    string query1 = "Select count(*) from Login where ID='" + idBox.Text + "' and Password='" + passwordBox.Text + "' ";
    SqlCommand cmd1 = new SqlCommand(query1, con);
    con.Open();
    verify = Convert.ToInt32(cmd1.ExecuteScalar());
    con.Close();
    if (verify > 0)
    {
        Response.Redirect("succesful.aspx");
    }
    else
    {
        Response.Redirect("unsuccesful.aspx",true);
    }

}

1 answers

solution1
 3 ACCPTED  2013-05-14 00:14:10

Several things are wrong with this approach:

  • It requires storing passwords in plain text - This is the worst thing one can do to a user's password: anyone who accidentally gains access to your database would instantly be in possession of all your users' passwords, with is very, very bad.
  • It is susceptible to SQL Injection attacks - Concatenating strings to produce a SQL command is dangerous, because malicious users could enter strings that break your SQL and turn it into something else .

You should study the answers to this question . The approaches discussed there are not nearly as simple as what you are implementing, but they make your system a lot more bullet-proof.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ASP.NET C# Validating username and password Check if username is in the database using ASP.Net Get Active Directory Information with ASP.NET without username and password Determine if logged in with username and password or with Facebook in ASP.Net MVC How To Block The UserName After 3 Invalid Password Attempts IN ASP.NET Passing username and password to controller method asp.net mvc How to authenticate username password in Jquery with asp.net? POST asp.net form username and password to an external HTTPS login How to validate username and password using ASP.NET and SQL Server? validating user input by retrieving database contents in Asp.net
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM