如果用户名和密码与数据库不匹配,如何在c# Xaml表单中给出错误代码呢?

本文关键字:表单 Xaml 错误代码 密码 用户 数据库 不匹配 如果 | 更新日期: 2023-09-27 17:54:32

我已经能够连接到我的数据库,但是当我试图通过写入错误的用户名或密码来创建错误时,没有弹出任何内容(例如"输入错误的密码")。此外,我试图用@username为用户文本框准备语句,但我不确定这是否真的停止了c#的SQL注入。

//XAml
    <TextBox x:Name="textUser" HorizontalAlignment="Left" Height="23" Margin="201,103,0,0" TextWrapping="Wrap" Text="" VerticalAlignment="Top" Width="120"/>
    <PasswordBox x:Name="txt_passwordBox" Margin="201,152,196,0" VerticalAlignment="Top" Height="23" KeyDown="txt_passwordBox_KeyDown" PasswordChar="$"/>

//C# code
    using MySql.Data.MySqlClient;
    //click login button
    private void button_Click(object sender, RoutedEventArgs e)
    {

        if (textUser.Text != "" & txt_passwordBox.Password != "")
            {
                server = "54.12.23.11";
                database = "databasetest";
                uid = "username";
                password = "password";
                string connectionString;
                connectionString = "server=" + server + ";" + "user=" + uid+ ";" + "database=" + database + ";port=3306;" + "password=" + password + ";";
            MySqlConnection conn = new MySqlConnection(connectionString);
            try
            {
                conn.Open();//connect to mysql
                string sql = "SELECT user, pass FROM users WHERE user=@username and pass=@password";
                MySqlCommand cmd = new MySqlCommand(sql, conn);
                string username1 = textUser.Text;
                string password1 = txt_passwordBox.Password;
                cmd.Parameters.AddWithValue("@username", username1);
                cmd.Parameters.AddWithValue("@password", password1);
                MySqlDataReader rdr = cmd.ExecuteReader();
                while (rdr.Read())
                {

                    if (Convert.ToString(rdr["password"]) != password1)
                    {
                        MessageBox.Show("Wrong password");
                    }
                    else if (Convert.ToString(rdr["username"]) != username1)
                    {
                        MessageBox.Show("Wrong Username");
                    }
                    else if ((Convert.ToString(rdr["username"]) != username1) && (Convert.ToString(rdr["password"]) != password1))
                    {
                        MessageBox.Show("Wrong Username or Password");
                    }
                    else
                    {
                        //textError.Text = (rdr["username"] + " --- " + rdr["password"]);
                        loggedinwindowpumpkin window = new loggedinwindowpumpkin();
                        this.Close();
                        window.ShowDialog();
                        // }
                    }
                    rdr.Close();
                }
            }
            catch (Exception)
            {
                MessageBox.Show("Error Connecting.... Check Network Settings, Close and try again");
                // MessageBox.Show(ex.ToString());
            }
            finally
            {
                //MessageBox.Show("Wrong User or Password");
            }
            conn.Close();
            //MessageBox.Show("Connected to Database.");
        }
    }//end button_Click

如果用户名和密码与数据库不匹配,如何在c# Xaml表单中给出错误代码呢?

正如我在评论中已经说过的,你没有得到任何结果。

这个应该能奏效:

using (var conn = new MySqlConnection(connectionString))
            {
                try
                {
                    conn.Open();//connect to mysql
                    string sql = "SELECT user, pass FROM users WHERE user=@username and pass=@password";
                    using (var cmd = new MySqlCommand(sql, conn))
                    {
                        string username1 = textUser.Text;
                        string password1 = txt_passwordBox.Password;
                        cmd.Parameters.AddWithValue("@username", username1);
                        cmd.Parameters.AddWithValue("@password", password1);
                        using (var rdr = cmd.ExecuteReader())
                        {
                            if (!rdr.HasRows)
                            {
                                MessageBox.Show("Wrong Username or Password");
                                return;
                            }
                            while (rdr.Read())
                            {
                                if (Convert.ToString(rdr["password"]) != password1)
                                {
                                    MessageBox.Show("Wrong password");
                                }
                                else if (Convert.ToString(rdr["username"]) != username1)
                                {
                                    MessageBox.Show("Wrong Username");
                                }
                                else if ((Convert.ToString(rdr["username"]) != username1) && (Convert.ToString(rdr["password"]) != password1))
                                {
                                    MessageBox.Show("Wrong Username or Password");
                                }
                                else
                                {
                                    //textError.Text = (rdr["username"] + " --- " + rdr["password"]);
                                    loggedinwindowpumpkin window = new loggedinwindowpumpkin();
                                    this.Close();
                                    window.ShowDialog();
                                    // }
                                }
                            }
                        }
                    }
                }
                catch (Exception)
                {
                    MessageBox.Show("Error Connecting.... Check Network Settings, Close and try again");
                    // MessageBox.Show(ex.ToString());
                }
                finally
                {
                    //MessageBox.Show("Wrong User or Password");
                }
            }

如果您真的想保护您的查询,您必须传递参数的数据类型。否则,它只是在您的查询中替换占位符。

string sql = "SELECT user, pass FROM users WHERE user=@username and pass=@password";
MySqlCommand cmd = new MySqlCommand(sql, conn);
string username1 = textUser.Text;
string password1 = txt_passwordBox.Password;
cmd.Parameters.Add(new SqlParameter("@username", username1));
cmd.Parameters.Add(new SqlParameter("@password", password1));

SqlParameter类实例的默认数据类型是DbType.NVarChar。如果你想指定其他数据类型,你必须这样做:

cmd.Parameters.Add(new SqlParameter("@password", DbType.NVarChar){Value = username1});

如果我错了,请纠正我,但这就是我学会做的。

问题是您正在选择user和pass,其中user = input和pass = input,然后您执行while(rdr.read())。比如你有table:

|User | PW|
|user1| 1 |
|user2| 2 |
|user3| 3 |

所以现在,如果我把Username: user1Password: 2,它会尝试从数据库中选择user = user1 and password = 2,在这个表中,我没有,所以它不会输入while(rdr.read()),所以它会跳过它,你不做任何事情,如果它不读取。

我建议你选择username, password where user = inputed user,然后检查是否选择的密码=输入的密码

就像这样:

string sqlcommand = "SELECT user, pass FROM users WHERE user=@username";
//do all code for command, con and parameters
while (rdr.Read())
{
    //store username and password
}
if(storedPassword == inputedPassword)
{
    loggedinwindowpumpkin window = new loggedinwindowpumpkin();
                    this.Close();
                    window.ShowDialog();
}
else
{
    //wrong password message
}

还可以检查阅读器是否读取了用户名,如果不显示未知用户的消息