VB.NET - ASP.NET - 不正確的用戶名/密碼（驗證）

Question

任何人都可以從代碼告訴我什麼是錯的代碼？

如果用戶名和密碼不匹配，lbl文本應顯示「不正確的用戶名/密碼」。

代碼：

Protected Sub btnLogin_Click(sender As Object, e As System.EventArgs) Handles btnLogin.Click 

     Dim conn As New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Users\Brian\Documents\Visual Studio 2010\WebSites\PetLandia\App_Data\db.mdb") 
     Dim cmd As OleDbCommand = New OleDbCommand("SELECT * FROM [User] where Username=? and Password=?", conn) 

     cmd.Parameters.AddWithValue("@Username", txtLogin.Text) 
     cmd.Parameters.AddWithValue("@Password", txtPassword.Text) 




     If (String.IsNullOrEmpty(txtLogin.Text)) Or (String.IsNullOrEmpty(txtPassword.Text)) Then 

      lblLoginError.Text = "One or more fields are empty. Please fill in all the fields" 
      lblLoginError.Visible = True 

     Else 

      conn.Open() 
      Dim read As OleDbDataReader = cmd.ExecuteReader() 

      Try 

       If read.HasRows Then 

        While read.Read() 

         If txtLogin.Text = read.Item("username").ToString And txtPassword.Text = read.Item("password").ToString Then 


          Dim tUsername As String = read.Item("Username").ToString 

          Session("Username") = tUsername 
          Response.Redirect("Default.aspx") 


         End If 
        End While 
       End If 

       read.Close() 
      Catch ex As Exception 
       Response.Write(ex.Message()) 
       lblLoginError.Text = "Incorrect Username/Password." 
       lblLoginError.Visible = True 

      Finally 
       conn.Close() 
      End Try 


     End If 

    End Sub 

Answer 1

你可以試試這個代碼。此代碼沒有TryCatch塊。

Protected Sub btnLogin_Click(sender As Object, e As System.EventArgs) Handles btnLogin.Click 

     If (String.IsNullOrEmpty(txtLogin.Text)) Or (String.IsNullOrEmpty(txtPassword.Text)) Then 
      lblLoginError.Text = "One or more fields are empty. Please fill in all the fields" 
      lblLoginError.Visible = True 

     Else 
      Dim conn As New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Users\Brian\Documents\Visual Studio 2010\WebSites\PetLandia\App_Data\db.mdb") 
      Dim cmd As OleDbCommand = New OleDbCommand("SELECT * FROM [User] where Username=? and Password=?", conn) 
      cmd.Parameters.AddWithValue("@Username", txtLogin.Text) 
      cmd.Parameters.AddWithValue("@Password", txtPassword.Text) 
      conn.Open() 
      Dim read As OleDbDataReader = cmd.ExecuteReader()  
        If read.HasRows Then 
         read.Read() 
         Session("Username") = read.Item("Username").ToString 
         read.Close() 
         conn.Close() 'Close connection before Redirecting. 
         Response.Redirect("Default.aspx")  
        Else 
         read.Close() 
         conn.Close() 
         lblLoginError.Text = "Incorrect Username/Password." 
         lblLoginError.Visible = True 

        End If 
      End If 
     End Sub 

Answer 2

取而代之的是catch的寫Else的if語句

Answer 3

你寫它的方式，「不正確的用戶名/密碼」將僅拋出一個異常表現。

，如果你想使用的代碼爲你寫它，添加一個ELSE：

If txtLogin.Text = read.Item("username").ToString And txtPassword.Text = read.Item("password").ToString Then 


         Dim tUsername As String = read.Item("Username").ToString 

         Session("Username") = tUsername 
         Response.Redirect("Default.aspx") 
else 
throw new exception("Incorrect Username/Password") 
End If 

Answer 4

您不必從數據庫中返回用戶名和密碼，因爲您已經擁有它們。你只需要計算匹配的條目。這大大簡化了它。此外，作爲果醬表明，最好做什麼用的數據庫做之前做的用戶名和密碼字段的值測試：

If (String.IsNullOrEmpty(txtLogin.Text)) OrElse (String.IsNullOrEmpty(txtPassword.Text)) Then 

    lblLoginError.Text = "One or more fields are empty. Please fill in all the fields" 
    lblLoginError.Visible = True 

Else 

    Dim ok As Integer = 0 

    Using conn = New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Users\Brian\Documents\Visual Studio 2010\WebSites\PetLandia\App_Data\db.mdb") 
     Dim cmd As OleDbCommand = New OleDbCommand("SELECT COUNT(*) FROM [User] where Username=? and Password=?", conn) 

     cmd.Parameters.AddWithValue("@Username", txtLogin.Text) 
     cmd.Parameters.AddWithValue("@Password", txtPassword.Text) 

     conn.Open() 
     ok = CInt(cmd.ExecuteScalar()) 
     conn.Close() 
    End Using 

    If ok = 0 Then 
     ' credentials incorrect 
    Else 
     ' credentials correct 
    End If 

End If 

Answer 5

1. 您決定推出自己的安全而導致..
2. 您似乎以明文存儲密碼，這是一個巨大的安全漏洞和潛在的責任來源。
3. If read.HasRows將在數據庫中不存在傳遞的用戶名和密碼時爲false。也就是說，它不會拋出異常，它只會返回沒有行。
4. 你沒有撥打Dispose上的一次性物品。
5. 用Select Count(*)簡單地調用ExecuteScalar來查看結果是否大於零將會更快。

---

Dim authenticationFailed As Boolean = String.IsNullOrEmpty(txtLogin.Text) _ 
    OrElse String.IsNullOrEmpty(txtPassword.Text) 

If Not authenticationFailed Then 
    Dim connString = "Provider=Microsoft.Jet.OLEDB.4.0..." 
    Using conn = New OleDbConnection(connString) 
     Const sql As String = "Select Count(*) From [User] Where Username=? and Password=?" 
     conn.Open() 
     Using cmd = New OleDbCommand(sql, conn) 
      cmd.Parameters.AddWithValue("@Username", txtLogin.Text) 
      cmd.Parameters.AddWithValue("@Password", txtPassword.Text) 

      Try 
       Dim result = cmd.ExecuteScalar(CommandBehavior.CloseConnection) 
      Catch generatedExceptionName As SqlException 
       authenticationFailed = True 
      End Try 

      authenticationFailed = authenticationFailed _ 
       OrElse Convert.ToInt32(result) <> 1 

      If Not authenticationFailed Then 
       Session("Username") = txtLogin.Text 
      End If 
     End Using 

     conn.Close() 
    End Using 
End If 

If authenticationFailed Then 
    lblLoginError.Text = "Incorrect username and password" 
    lblLoginError.Visible = True 
End If