1. 首頁
  2. 問答
  3. 在ASP.Net中更改密碼問題

在ASP.Net中更改密碼問題

2016-07-12 71 views
-1

嗨,我試圖更改密碼,以便用戶的密碼更新數據庫上。例如,我希望用戶Mary Tan的密碼從12345更改爲54321.但是如果影響用戶密碼的其餘部分。我真的idk如何解決它。在ASP.Net中更改密碼問題

輸出: click here

database table

我的代碼:

protected void btnChangePassword_Click(object sender, EventArgs e) 
     { 
      SqlDataReader dr = null; 

      connectionString = ConfigurationManager.ConnectionStrings["LeaveManagementCS"].ConnectionString; 

      conn = new SqlConnection(connectionString); 

      string sql = "UPDATE Staff Set [email protected]"; 

      if (Session["Username"] != null) 
      { 
       sql += " WHERE UserName='" + Session["Username"].ToString() + "'"; 
      } 

      string newPwd = tbNewPassword.Text; 

      try 
      { 
       cmd = new SqlCommand(sql, conn); 

       cmd.Parameters.AddWithValue("@NewPwd", tbNewPassword.Text); 

       conn.Open(); 

       dr = cmd.ExecuteReader(); 

       while(dr.Read()) 
       { 
        if ((tbNewPassword.Text == dr["newPwd"].ToString())) 
        { 

        } 
       } 

       dr.Close(); 


       int rows = cmd.ExecuteNonQuery(); 

       if(rows > 0) 
       { 
        lblOutput.ForeColor = System.Drawing.Color.Green; 
        lblOutput.Text = "Password has been changed successfully"; 
       } 
       else 
       { 
        lblOutput.ForeColor = System.Drawing.Color.Red; 
        lblOutput.Text = "Password does not match with our database records."; 
       } 
      } 
      catch(Exception ex) 
      { 
       lblOutput.Text = "Error Message: " + ex.Message; 
      } 
      finally 
      { 
       if (conn != null) 
        conn.Close(); 
      } 
     }

來源

2016-07-12 Safri

+0

檢查會話[「用戶名」],我認爲這種情況是錯誤 – Sami

+0

會話[「用戶名」]爲空。最有可能的。驗證是否有值。 –

+1

此代碼有潛在的SQL注入攻擊。 – Ash

回答

0

這意味着你的Session["Username"]null在這一刻執行。因此Where條件將跳過並更新所有行。讀者的功能在那裏?這是沒有必要的,ExecuteNonQuery就足夠做這個工作,它會返回受影響的行數。所以,你可以通過以下方式做到這一點:

string connectionString = ConfigurationManager.ConnectionStrings["LeaveManagementCS"].ConnectionString; 
if (Session["Username"] != null) 
{ 
    string sql = "UPDATE Staff Set [email protected] WHERE [email protected]"; 
    using (SqlConnection conn = new SqlConnection(connectionString)) 
    { 
     conn.Open(); 
     using (SqlCommand cmd = new SqlCommand(sql, conn)) 
     { 
      cmd.Parameters.AddWithValue("@NewPwd", tbNewPassword.Text); 
      cmd.Parameters.AddWithValue("@Username", Session["Username"]); 
      int rows = cmd.ExecuteNonQuery(); 
      if (rows > 0) 
      { 
       lblOutput.ForeColor = System.Drawing.Color.Green; 
       lblOutput.Text = "Password has been changed successfully"; 
      } 
      else 
      { 
       lblOutput.ForeColor = System.Drawing.Color.Red; 
       lblOutput.Text = "Password does not match with our database records."; 
      } 
     } 
    } 
} 
else 
{ 
    // Show message that Session is Empty Can't Proceed 
}

重要提示: - 不要密碼保存爲純文本,Hash and salt them

來源

2016-07-12 01:09:48

0

更改你這樣的方法(檢查會議在開始)

protected void btnChangePassword_Click(object sender, EventArgs e) 
{ 
     if (Session["Username"] == null) 
     { 
      //User is not logged-in. Display message or handle 
      return; 
     } 
     SqlDataReader dr = null; 
     connectionString = ConfigurationManager.ConnectionStrings["LeaveManagementCS"].ConnectionString; 
     conn = new SqlConnection(connectionString); 
     string sql = "UPDATE Staff Set [email protected] Where UserName = @UserName"; 

     string newPwd = tbNewPassword.Text; 

     try 
     { 
      cmd = new SqlCommand(sql, conn); 

      cmd.Parameters.AddWithValue("@NewPwd", tbNewPassword.Text); 
      cmd.Parameters.AddWithValue("@UserName", Session["Username"].ToString()); 

      conn.Open(); 

      dr = cmd.ExecuteReader(); 

      while (dr.Read()) 
      { 
       if ((tbNewPassword.Text == dr["newPwd"].ToString())) 
       { 

       } 
      } 

      dr.Close(); 


      int rows = cmd.ExecuteNonQuery(); 

      if (rows > 0) 
      { 
       lblOutput.ForeColor = System.Drawing.Color.Green; 
       lblOutput.Text = "Password has been changed successfully"; 
      } 
      else 
      { 
       lblOutput.ForeColor = System.Drawing.Color.Red; 
       lblOutput.Text = "Password does not match with our database records."; 
      } 
     } 
     catch (Exception ex) 
     { 
      lblOutput.Text = "Error Message: " + ex.Message; 
     } 
     finally 
     { 
      if (conn != null) 
       conn.Close(); 
     } 
}

來源

2016-07-12 01:10:28 Sami

+0

很高興,如果它幫助你。 – Sami

+0

'cmd.ExecuteReader();'的用途是什麼 –

相關問題

 相關問題