我对C#中的会话有问题

本文关键字:会话 有问题 我对 | 更新日期: 2023-09-27 18:29:12

我用"用户名"answers"密码"登录页面,然后到达订单页面并在会话中添加用户名。在订单页面上,我想显示用户客户ID。因此,我使用sql中的用户名来获得字符串中的客户ID。但是,我拿不到。

登录页面

    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Web;
    using System.Web.UI;
    using System.Web.UI.WebControls;
    using System.Data;
    using System.Data.SqlClient;
    namespace SalesSystem
{
    public partial class Login : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
        }
        protected void btnlogin_Click(object sender, EventArgs e)
        {
            string username = txtname.Text;
            string password = txtpassword.Text;
            try
            {
                string connectionString = "Data Source=(local);Initial Catalog=MOE;Integrated Security=True";
                SqlConnection mysqlConnection = new SqlConnection(connectionString);
                SqlCommand cmd = new SqlCommand();
                cmd.Connection = mysqlConnection;
                cmd.CommandType = CommandType.StoredProcedure;
                cmd.CommandText = "get_cus_001";
                cmd.Parameters.AddWithValue("@cName", username);
                cmd.Parameters.AddWithValue("@cPsw", password);
                mysqlConnection.Open();
                cmd.ExecuteNonQuery();
                SqlDataAdapter adp = new SqlDataAdapter();
                adp.SelectCommand = cmd;
                DataTable dt = new DataTable();
                adp.Fill(dt);
                if (dt.Rows.Count > 0)
                {
                    Session["customername"] = username;
                    Label3.Text = "Success";                       
                    Response.Redirect("Order.aspx");
                }
                else
                {
                    Label3.Text = "Fail";
                }
                //mysqlConnection.Close();
            }
            catch (Exception ex)
            {
                Label3.Text = ex.Message;
            }

        }
    }
}

订单页面

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;
using System.Data.SqlClient;
namespace SalesSystem
{
    public partial class Order : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {

            String customername = (String)Session["customername"];
            txtorderdate.Text = customername;
            SqlConnection connn = new SqlConnection();
            connn.ConnectionString = "Data Source=(local);Initial Catalog=MOE;Integrated Security=True";
            connn.Open();
            SqlCommand res = new SqlCommand("Select CustomerID from Customer where Customername ="+customername +"", connn);
            SqlDataAdapter adp = new SqlDataAdapter();
            adp.SelectCommand = res;
            DataTable dt = new DataTable();
            adp.Fill(dt);
            txtcustomerid.Text = dt.Rows[0]["CustomerID"].ToString();
            try
            {
                if (!IsPostBack)
                {
                    SqlConnection conn = new SqlConnection();
                    conn.ConnectionString = "Data Source=(local);Initial Catalog=MOE;Integrated Security=True";
                    conn.Open();
                    SqlCommand da = new SqlCommand("Select Itemid,ItemName from Item", conn);
                    DropDownList1.DataSource = da.ExecuteReader();
                    //DataSet ds = new DataSet();
                    // da.Fill(ds, "Item");
                    //ddlitemid.DataSource = ds.Tables["Item"].DefaultView;
                    DropDownList1.DataTextField = "Itemname";
                    DropDownList1.DataValueField = "Itemid";
                    DropDownList1.DataBind();
                    conn.Close();
                }
            }
            catch (Exception ex)
            {
                Response.Write(ex.Message);
            }
        }
        protected void btnadd_Click(object sender, EventArgs e)
        {
            string orderdate = txtorderdate.Text;
            string customerid = txtcustomerid.Text;
            string itemid = DropDownList1.SelectedValue;
            string qty = txtquantity.Text;


            SqlConnection con = new SqlConnection();
            con.ConnectionString = "Data Source=(local);Initial Catalog=MOE;Integrated Security=True";
            con.Open();
            SqlCommand result = new SqlCommand("Insert Into [Order](Orderdate,Customerid,Itemid,OQty) Values ('" + orderdate + "','" + customerid + "','" + itemid + "','" + qty + "')", con);
            result.ExecuteNonQuery();
        }
        protected void DropDownList1_SelectedIndexChanged(object sender, EventArgs e)
        {
        }
    }
}

当我到达订单页面时,我可以成功登录,该框显示我输入的姓氏附近有语法错误。请帮帮我。

我对C#中的会话有问题

更改sql查询

SqlCommand res = new SqlCommand("Select CustomerID from Customer where Customername ='"+customername +"'", connn);

您是基于类型为varcharcolumndatabaseselecting数据。

varchar的值总是需要用quotes括起来,并且您没有在customername周围加引号。

使用parameterized SQL来阻止SQl Injections。像这样更改插入查询

SqlCommand res = new SqlCommand("Select CustomerID from Customer where Customername = @customername " , connn);
res.Parameters.AddWithValue("@customername",customername );

会话中没有错误。sql查询中出现错误

SqlCommand res = new SqlCommand("Select CustomerID from Customer where Customername ='"+customername +"'", connn);

非常容易受到SQL注入的攻击

http://www.codeproject.com/Articles/813965/Preventing-SQL-Injection-Attack-ASP-NET-Part-I

使用此

相关文章: