Asp.net asp登录SQL的帮助
我有一个表单,提交时会转到下面的登录脚本Asp.net asp登录SQL的帮助,asp.net,sql,login,get,Asp.net,Sql,Login,Get,我有一个表单,提交时会转到下面的登录脚本 <% Dim myConnection As System.Data.SqlClient.SqlConnection Dim myCommand As System.Data.SqlClient.SqlCommand Dim requestName As String Dim requestPass As String requestName = Request.Form("userName") re
<%
Dim myConnection As System.Data.SqlClient.SqlConnection
Dim myCommand As System.Data.SqlClient.SqlCommand
Dim requestName As String
Dim requestPass As String
requestName = Request.Form("userName")
requestPass = Request.Form("userPass")
Dim queryString As String = "SELECT COUNT(*) AS Num_Of_User FROM tblusers WHERE username='" & requestName & "' AND password='" & requestPass & "'"
myConnection = New System.Data.SqlClient.SqlConnection("Data Source=(local);InitialCatalog=dbtest;Integrated Security=True")
myCommand = New System.Data.SqlClient.SqlCommand(queryString, myConnection)
myConnection.Open()
Dim reader As System.Data.SqlClient.SqlDataReader = myCommand.ExecuteReader()
%>
现在理论上,我应该能够从SQL查询中获得用户的Num_,如果它等于1,那么登录就成功了。这是正确的方法吗?如何获取SQL返回的值?请尝试
myCommand.ExecuteScalar()另外,检查ASP.Net“内置”身份验证方法-这可能会节省您的一些工作。请尝试myCommand.ExecuteScalar(),它返回结果集第一行第一列的值-正是您在这里要查找的值
另外,检查ASP.Net“内置”身份验证方法-这可能会节省您的一些工作。您可以使用该代码进行SQL注入。 请参阅如果您以
或2>1的形式输入用户名--Dim queryString As String = "SELECT COUNT(*) AS Num_Of_User FROM tblusers WHERE username=@username AND password=@password"
myConnection = New System.Data.SqlClient.SqlConnection("Data Source=(local);InitialCatalog=dbtest;Integrated Security=True")
myCommand = New System.Data.SqlClient.SqlCommand(queryString, myConnection)
myCommand.Parameters.AddWithValue("@username", requestName)
myCommand.Parameters.AddWithValue("@password", requestPass)
Dim numUsers as Integer
Using myConnection as New System.Data.SqlClient.SqlConnection("Data Source=(local);InitialCatalog=dbtest;Integrated Security=True")
Dim queryString As String = "SELECT COUNT(*) AS Num_Of_User FROM tblusers WHERE username=@username AND password=@password"
Using myCommand as New System.Data.SqlClient.SqlCommand(queryString, myConnection)
myConnection.Open
myCommand.Parameters.AddWithValue("@username", requestName)
myCommand.Parameters.AddWithValue("@password", requestPass)
numUsers = myCommand.ExecuteScalar()
End Using
End Using
上面的代码将确保您的对象被释放,但不会处理任何可能引发的异常 您完全可以使用该代码进行SQL注入。 请参阅如果您以
或2>1的形式输入用户名--Dim queryString As String = "SELECT COUNT(*) AS Num_Of_User FROM tblusers WHERE username=@username AND password=@password"
myConnection = New System.Data.SqlClient.SqlConnection("Data Source=(local);InitialCatalog=dbtest;Integrated Security=True")
myCommand = New System.Data.SqlClient.SqlCommand(queryString, myConnection)
myCommand.Parameters.AddWithValue("@username", requestName)
myCommand.Parameters.AddWithValue("@password", requestPass)
Dim numUsers as Integer
Using myConnection as New System.Data.SqlClient.SqlConnection("Data Source=(local);InitialCatalog=dbtest;Integrated Security=True")
Dim queryString As String = "SELECT COUNT(*) AS Num_Of_User FROM tblusers WHERE username=@username AND password=@password"
Using myCommand as New System.Data.SqlClient.SqlCommand(queryString, myConnection)
myConnection.Open
myCommand.Parameters.AddWithValue("@username", requestName)
myCommand.Parameters.AddWithValue("@password", requestPass)
numUsers = myCommand.ExecuteScalar()
End Using
End Using
上面的代码将确保您的对象被释放,但不会处理任何可能引发的异常 您似乎正在使用ASP.NET,而不是ASP.NET。是吗?是的,它们都是.aspx页面您似乎在使用ASP.NET,而不是ASP.NET。是否正确?是的,它们都是。aspx pageso获取值是否正确:Dim rows rows=myCommand.ExecuteScalar()
Dim UserCount As Integer=DirectCast(myCommand.ExecuteScalar(),Integer)Dim UserCount As Integer=DirectCast(myCommand.ExecuteScalar(),Integer)Dim myConnectionUsingEnd UsingDim myConnectionUsingEnd Using