private void btnSubmitt_Click(object sender, RoutedEventArgs e)
{
try
{
i = 0;
MySqlCommand cmd = con.CreateCommand();
cmd.CommandType = CommandType.Text;
cmd.CommandText = "Select * from users where TX_EMPLOYEE='"; (Environment.UserName) & "'";
DataTable dt = new DataTable();
MySqlDataAdapter da = new MySqlDataAdapter(cmd);
da.Fill(dt);
i = Convert.ToInt32(dt.Rows.Count.ToString());
}
catch
{
MessageBox.Show("Database connection is not available at this time. Please contact your database administrator ");
}
finally
{
con.Close();
}
I would like to authenticate the user with their computer login name and the exact match that is listed in the MYSQL data table. However Environment.Username is not a valid syntax in this SQL statement.
This line is very very wrong:
cmd.CommandText = "Select * from users where TX_EMPLOYEE='"; (Environment.UserName) & "'";
It should be this:
cmd.CommandText = "Select * from users where TX_EMPLOYEE='" + Environment.UserName + "'";
Except, it shouldn't be like that because of SQL injection. If I could make Environment.UserName
into ' or 1 = 1 or TX_EMPLOYEE = '
then your final query would become this:
Select * from users where TX_EMPLOYEE='' or 1 = 1 or TX_EMPLOYEE = ''
Which clearly isn't what you want - somebody with no credentials being able to access this. You should instead use SQL parameters:
cmd.CommandText = "Select * from users where TX_EMPLOYEE=?userName";
cmd.Parameters.AddWithValue("?userName", Environment.UserName);
On a separate note, I'm confused by this code:
i = Convert.ToInt32(dt.Rows.Count.ToString());
DataTable.Rows.Count is already an int
, so you're converting a number to a string to a number. Why?
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.