[英]Getting Data From Sql Server 2008 with C#
我正在尝试为Windows Forms Application项目创建一个登录工具。 我正在使用Visual Studio 2010和MS Sql Server 2008。
我引用了这篇文章: http : //www.codeproject.com/Articles/4416/Beginners-guide-to-accessing-SQL-Server-through-C
这是我的名为user的数据库表:
我TextBox1
户名的 TextBox1
, 用户密码的 TextBox2
和用于启动登录过程的 Button1
。 这是我的Button1_Click
方法的代码:
private void button1_Click(object sender, EventArgs e)
{
string kullaniciAdi; // user name
string sifre; // password
SqlConnection myConn = new SqlConnection();
myConn.ConnectionString = "Data Source=localhost; database=EKS; uid=sa; pwd=123; connection lifetime=20; connection timeout=25; packet size=1024;";
myConn.Open();
try
{
SqlDataReader myReader;
string myQuery = ("select u_password from user where u_name='" + textBox1.Text + "';");
SqlCommand myCommand = new SqlCommand(myQuery,myConn);
myReader = myCommand.ExecuteReader();
while (myReader.Read())
{
sifre = myReader["u_password"].ToString();
}
}
catch (Exception x)
{
MessageBox.Show(x.ToString());
}
myConn.Close();
}
我对C#没有多少经验,但我认为我错过了一些小的做法。 下面我分享了我捕获的异常消息。 你能告诉我我错过了什么吗? (第33行是myReader = myCommand.ExecuteReader();
)
考虑给出答案,我更新了我的尝试块,如下所示,但它仍然无法正常工作。
try
{
SqlDataReader myReader;
string myQuery = ("select u_password from [user] where u_name=@user");
SqlCommand myCommand = new SqlCommand(myQuery, myConn);
myCommand.Parameters.AddWithValue("@user", textBox1.Text);
myReader = myCommand.ExecuteReader();
while (myReader.Read())
{
sifre = myReader["u_password"].ToString();
}
if (textBox2.Text.Equals(sifre))
{
Form2 admnPnl = new Form2();
admnPnl.Show();
}
}
在通过正弦的建议改变整个代码之后,截图也在下面:我认为,不知何故,我无法将数据库中的密码分配给字符串sifre。
码:
string sifre = "";
var builder = new SqlConnectionStringBuilder();
builder.DataSource = "localhost";
builder.InitialCatalog = "EKS";
builder.UserID = "sa";
builder.Password = "123";
using (var conn = new SqlConnection(builder.ToString()))
{
using (var cmd = new SqlCommand())
{
cmd.Connection = conn;
cmd.CommandText = "select u_password from [user] where u_name = @u_name";
cmd.Parameters.AddWithValue("@u_name", textBox1.Text);
conn.Open();
using (var reader = cmd.ExecuteReader())
{
while (reader.Read())
{
var tmp = reader["u_password"];
if (tmp != DBNull.Value)
{
sifre = reader["u_password"].ToString();
}
}
if (textBox2.Text.Equals(sifre))
{
try
{
AdminPanel admnPnl = new AdminPanel();
admnPnl.Show();
}
catch (Exception y)
{
MessageBox.Show(y.ToString());
}
}
else
{
MessageBox.Show("incorrect password!");
}
}
}
}
尝试将用户放入[]因为它是T-SQL中重新创建的关键字并使用参数,您的代码对SQL注入开放!
private void button1_Click(object sender, EventArgs e)
{
var builder = new SqlConnectionStringBuilder();
builder.DataSource = "servername";
builder.InitialCatalog = "databasename";
builder.UserID = "username";
builder.Password = "yourpassword";
using(var conn = new SqlConnection(builder.ToString()))
{
using(var cmd = new SqlCommand())
{
cmd.Connection = conn;
cmd.CommandText = "select u_password from [user] where u_name = @u_name";
cmd.Parameters.AddWithValue("@u_name", textBox1.Text);
conn.Open();
using(var reader = cmd.ExecuteReader())
{
while (reader.Read())
{
var tmp = reader["u_password"];
if(tmp != DBNull.Value)
{
sifre = reader["u_password"].ToString();
}
}
}
}
}
}
User
是SQL中的保留关键字,您需要这样做:
select u_password from [user] where u_name=@user
与以往一样,对于基本的SQL问题,您应该始终使用参数化查询来阻止人们通过文本框在您的数据库上运行任何旧命令。
SqlCommand myCommand = new SqlCommand(myQuery,myConn);
myCommand.Parameters.AddWithValue("@user", textBox1.Text);
USER是T-SQL中的保留字
尝试将[]放在保留字周围。
string myQuery = ("select u_password from [user] where u_name='" + textBox1.Text + "';");
把它改成类似的东西
string myQuery = ("select u_password from [user] where u_name='" + textBox1.Text + "';");
除此之外,我建议您查看使用参数化查询来防止SQL Server中的SQL注入攻击
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.