小弟初学asp.net
在制作登入页面时遇到了点问题,望高手指教!
SqlConnection db = new SqlConnection( "server=WWW-1GJV7YP3TQ2; Database=yc-hardadmin;user ID=sb;password= ");
string sel = "select * from hkhda where username= 'TextBox1.Text ' and pws= 'TextBox2.Text ' ";
SqlCommand com = new SqlCommand(sel, db);
db.Open();
SqlDataReader rea = com.ExecuteReader();
rea.Read();
if (参数)
{
Panel1.Visible = false;
Panel2.Visible = true;
}
................................省略
其中,要检索数据库中存在这一条记录 则执行大括号中的语句
Panel1.Visible = false;
Panel2.Visible = true;
------解决方案--------------------------------------------------------
上面这种写法存在严重的SQL注入漏洞,建议改为
SqlConnection db = new SqlConnection( "server=WWW-1GJV7YP3TQ2; Database=yc-hardadmin;user ID=sb;password= ");
string sel = "select * from hkhda where username= @username and pws= @pws ";
SqlCommand com = new SqlCommand(sel, db);
cmd.Parameters.Add( "@UserName ", SqlDbType.VarChar).Value = TextBox1.Text.Trim();
cmd.Parameters.Add( "@pws ", SqlDbType.VarChar).Value = TextBox2.Text.Trim();
db.Open();
SqlDataReader rea = com.ExecuteReader();
if (rea.HasRows) //rea.Read()也可
{
Panel1.Visible = false;
Panel2.Visible = true;
}
rea.Close();
db.Close();