如果用户名和密码与数据库不匹配,如何在c# Xaml表单中给出错误代码呢?
本文关键字:表单 Xaml 错误代码 密码 用户 数据库 不匹配 如果 | 更新日期: 2023-09-27 17:54:32
我已经能够连接到我的数据库,但是当我试图通过写入错误的用户名或密码来创建错误时,没有弹出任何内容(例如"输入错误的密码")。此外,我试图用@username为用户文本框准备语句,但我不确定这是否真的停止了c#的SQL注入。
//XAml
<TextBox x:Name="textUser" HorizontalAlignment="Left" Height="23" Margin="201,103,0,0" TextWrapping="Wrap" Text="" VerticalAlignment="Top" Width="120"/>
<PasswordBox x:Name="txt_passwordBox" Margin="201,152,196,0" VerticalAlignment="Top" Height="23" KeyDown="txt_passwordBox_KeyDown" PasswordChar="$"/>
//C# code
using MySql.Data.MySqlClient;
//click login button
private void button_Click(object sender, RoutedEventArgs e)
{
if (textUser.Text != "" & txt_passwordBox.Password != "")
{
server = "54.12.23.11";
database = "databasetest";
uid = "username";
password = "password";
string connectionString;
connectionString = "server=" + server + ";" + "user=" + uid+ ";" + "database=" + database + ";port=3306;" + "password=" + password + ";";
MySqlConnection conn = new MySqlConnection(connectionString);
try
{
conn.Open();//connect to mysql
string sql = "SELECT user, pass FROM users WHERE user=@username and pass=@password";
MySqlCommand cmd = new MySqlCommand(sql, conn);
string username1 = textUser.Text;
string password1 = txt_passwordBox.Password;
cmd.Parameters.AddWithValue("@username", username1);
cmd.Parameters.AddWithValue("@password", password1);
MySqlDataReader rdr = cmd.ExecuteReader();
while (rdr.Read())
{
if (Convert.ToString(rdr["password"]) != password1)
{
MessageBox.Show("Wrong password");
}
else if (Convert.ToString(rdr["username"]) != username1)
{
MessageBox.Show("Wrong Username");
}
else if ((Convert.ToString(rdr["username"]) != username1) && (Convert.ToString(rdr["password"]) != password1))
{
MessageBox.Show("Wrong Username or Password");
}
else
{
//textError.Text = (rdr["username"] + " --- " + rdr["password"]);
loggedinwindowpumpkin window = new loggedinwindowpumpkin();
this.Close();
window.ShowDialog();
// }
}
rdr.Close();
}
}
catch (Exception)
{
MessageBox.Show("Error Connecting.... Check Network Settings, Close and try again");
// MessageBox.Show(ex.ToString());
}
finally
{
//MessageBox.Show("Wrong User or Password");
}
conn.Close();
//MessageBox.Show("Connected to Database.");
}
}//end button_Click
正如我在评论中已经说过的,你没有得到任何结果。
这个应该能奏效:
using (var conn = new MySqlConnection(connectionString))
{
try
{
conn.Open();//connect to mysql
string sql = "SELECT user, pass FROM users WHERE user=@username and pass=@password";
using (var cmd = new MySqlCommand(sql, conn))
{
string username1 = textUser.Text;
string password1 = txt_passwordBox.Password;
cmd.Parameters.AddWithValue("@username", username1);
cmd.Parameters.AddWithValue("@password", password1);
using (var rdr = cmd.ExecuteReader())
{
if (!rdr.HasRows)
{
MessageBox.Show("Wrong Username or Password");
return;
}
while (rdr.Read())
{
if (Convert.ToString(rdr["password"]) != password1)
{
MessageBox.Show("Wrong password");
}
else if (Convert.ToString(rdr["username"]) != username1)
{
MessageBox.Show("Wrong Username");
}
else if ((Convert.ToString(rdr["username"]) != username1) && (Convert.ToString(rdr["password"]) != password1))
{
MessageBox.Show("Wrong Username or Password");
}
else
{
//textError.Text = (rdr["username"] + " --- " + rdr["password"]);
loggedinwindowpumpkin window = new loggedinwindowpumpkin();
this.Close();
window.ShowDialog();
// }
}
}
}
}
}
catch (Exception)
{
MessageBox.Show("Error Connecting.... Check Network Settings, Close and try again");
// MessageBox.Show(ex.ToString());
}
finally
{
//MessageBox.Show("Wrong User or Password");
}
}
如果您真的想保护您的查询,您必须传递参数的数据类型。否则,它只是在您的查询中替换占位符。
string sql = "SELECT user, pass FROM users WHERE user=@username and pass=@password";
MySqlCommand cmd = new MySqlCommand(sql, conn);
string username1 = textUser.Text;
string password1 = txt_passwordBox.Password;
cmd.Parameters.Add(new SqlParameter("@username", username1));
cmd.Parameters.Add(new SqlParameter("@password", password1));
SqlParameter类实例的默认数据类型是DbType.NVarChar。如果你想指定其他数据类型,你必须这样做:
cmd.Parameters.Add(new SqlParameter("@password", DbType.NVarChar){Value = username1});
如果我错了,请纠正我,但这就是我学会做的。
问题是您正在选择user和pass,其中user = input和pass = input,然后您执行while(rdr.read())。比如你有table:
|User | PW|
|user1| 1 |
|user2| 2 |
|user3| 3 |
所以现在,如果我把Username: user1和Password: 2,它会尝试从数据库中选择user = user1 and password = 2,在这个表中,我没有,所以它不会输入while(rdr.read()),所以它会跳过它,你不做任何事情,如果它不读取。
我建议你选择username, password where user = inputed user,然后检查是否选择的密码=输入的密码
就像这样:
string sqlcommand = "SELECT user, pass FROM users WHERE user=@username";
//do all code for command, con and parameters
while (rdr.Read())
{
//store username and password
}
if(storedPassword == inputedPassword)
{
loggedinwindowpumpkin window = new loggedinwindowpumpkin();
this.Close();
window.ShowDialog();
}
else
{
//wrong password message
}
还可以检查阅读器是否读取了用户名,如果不显示未知用户的消息