2013-09-16 172 views
3

我正在嘗試爲Windows窗體應用程序項目製作登錄工具。我使用Visual Studio 2010和MS SQL Server 2008的從Sql Server 2008獲取數據與C#

我引用這篇文章: http://www.codeproject.com/Articles/4416/Beginners-guide-to-accessing-SQL-Server-through-C

,這裏是我的數據庫表命名用戶: enter image description here

TextBox1用戶名TextBox2用於用戶密碼Button1用於開始登錄過程。這裏是我的Button1_Click方法的代碼:

private void button1_Click(object sender, EventArgs e) 
{ 
    string kullaniciAdi; // user name 
    string sifre; // password 

    SqlConnection myConn = new SqlConnection(); 
    myConn.ConnectionString = "Data Source=localhost; database=EKS; uid=sa; pwd=123; connection lifetime=20; connection timeout=25; packet size=1024;"; 
    myConn.Open(); 
    try 
    { 
     SqlDataReader myReader; 
     string myQuery = ("select u_password from user where u_name='" + textBox1.Text + "';"); 
     SqlCommand myCommand = new SqlCommand(myQuery,myConn); 
     myReader = myCommand.ExecuteReader(); 
     while (myReader.Read()) 
     { 
      sifre = myReader["u_password"].ToString(); 
     } 
    } 
    catch (Exception x) 
    { 
     MessageBox.Show(x.ToString()); 
    } 
    myConn.Close(); 
} 

我沒有與C#太多的經驗,但我想我失去了一些東西小做是正確的。下面我分享我抓住的異常信息。你能告訴我我失蹤了嗎? (33行是myReader = myCommand.ExecuteReader();

enter image description here

Considerin給出答案,我更新了我的try塊在下面,但它仍然無法正常工作。

try 
{ 
    SqlDataReader myReader; 
    string myQuery = ("select u_password from [user] where [email protected]"); 
    SqlCommand myCommand = new SqlCommand(myQuery, myConn); 
    myCommand.Parameters.AddWithValue("@user", textBox1.Text); 
    myReader = myCommand.ExecuteReader(); 
    while (myReader.Read()) 
    { 
     sifre = myReader["u_password"].ToString(); 
    } 

    if (textBox2.Text.Equals(sifre)) 
    { 
     Form2 admnPnl = new Form2(); 
     admnPnl.Show(); 
    } 
} 

按正弦的建議改變如下整個代碼後,截圖也低於: ,我想,不知何故,我不能在數據庫字符串sifre分配密碼。

代碼:

string sifre = ""; 
var builder = new SqlConnectionStringBuilder(); 
builder.DataSource = "localhost"; 
builder.InitialCatalog = "EKS"; 
builder.UserID = "sa"; 
builder.Password = "123"; 

using (var conn = new SqlConnection(builder.ToString())) 
{ 
    using (var cmd = new SqlCommand()) 
    { 
     cmd.Connection = conn; 
     cmd.CommandText = "select u_password from [user] where u_name = @u_name"; 
     cmd.Parameters.AddWithValue("@u_name", textBox1.Text); 
     conn.Open(); 

     using (var reader = cmd.ExecuteReader()) 
     { 
      while (reader.Read()) 
      { 
       var tmp = reader["u_password"]; 
       if (tmp != DBNull.Value) 
       { 
        sifre = reader["u_password"].ToString(); 
       } 
      } 

      if (textBox2.Text.Equals(sifre)) 
      { 
       try 
       { 
        AdminPanel admnPnl = new AdminPanel(); 
        admnPnl.Show(); 
       } 
       catch (Exception y) 
       { 
        MessageBox.Show(y.ToString()); 
       } 
      } 
      else 
      { 
       MessageBox.Show("incorrect password!"); 
      } 
     } 
    } 
} 

enter image description here

+0

嗨,我附加它作爲圖像。在我的問題結尾 –

+0

嘗試將'FROM user'更改爲'FROM EKS.dbo.user' – makciook

+3

您應該使用Parameters for Queries !!! – makim

回答

2

試圖把用戶變成[],因爲它是一個reseved關鍵字在T-SQL和使用參數,您的代碼是開放的SQL注入!

private void button1_Click(object sender, EventArgs e) 
{ 
    var builder = new SqlConnectionStringBuilder(); 
    builder.DataSource = "servername"; 
    builder.InitialCatalog = "databasename"; 
    builder.UserID = "username"; 
    builder.Password = "yourpassword"; 

    using(var conn = new SqlConnection(builder.ToString())) 
    { 
     using(var cmd = new SqlCommand()) 
     { 
      cmd.Connection = conn; 
      cmd.CommandText = "select u_password from [user] where u_name = @u_name"; 
      cmd.Parameters.AddWithValue("@u_name", textBox1.Text); 
      conn.Open(); 

      using(var reader = cmd.ExecuteReader()) 
      { 
       while (reader.Read()) 
       { 
        var tmp = reader["u_password"]; 
        if(tmp != DBNull.Value) 
        { 
         sifre = reader["u_password"].ToString(); 
        } 
       } 
      } 
     } 
    } 
} 
+0

我根據您的建議修改了我的代碼,但它不起作用。你能檢查我的嘗試塊的最新狀態嗎?它在我的文章結尾。我找不到我想要的東西 –

+0

你仍然得到相同的異常或不同的異常嗎? – makim

+1

雖然我不知道是什麼導致問題,我已經更新了我的答案嘗試此代碼,如果它不工作,更新您的問題與異常(如果它不像以前一樣) – makim

1

User是SQL保留關鍵字,你需要這樣做:

select u_password from [user] where [email protected] 

與以往一樣,基本的SQL問題,您應該始終使用使用參數化查詢來防止人們通過te在數據庫上運行任何舊命令xtbox。

SqlCommand myCommand = new SqlCommand(myQuery,myConn); 
myCommand.Parameters.AddWithValue("@user", textBox1.Text); 
1

用戶在T-SQL

嘗試把[]周圍保留字保留字。

string myQuery = ("select u_password from [user] where u_name='" + textBox1.Text + "';"); 
4

User是在T-SQL中reserved keyword。您應該將它與方括號[User]一起使用。

而你應該使用parameterized sql來代替。這種字符串連接對於SQL Injection攻擊是開放的。

string myQuery = "select u_password from [user] where [email protected]"; 
SqlCommand myCommand = new SqlCommand(myQuery,myConn); 
myCommand.Parameters.AddWithValue("@user", textBox1.Text); 

作爲一般recomendation,不使用保留關鍵字爲你的標識符和數據庫中的對象的名稱。

相關問題