C# 更改ASP.Net中的密码问题
嗨,我正在尝试更改密码,以便在数据库中更新用户的密码。例如,我希望用户Mary Tan的密码从12345更改为54321。但如果影响了用户的其余密码。我真不知道如何修理它 输出: 桌子 我的代码:C# 更改ASP.Net中的密码问题,c#,sql,asp.net,visual-studio-2015,C#,Sql,Asp.net,Visual Studio 2015,嗨,我正在尝试更改密码,以便在数据库中更新用户的密码。例如,我希望用户Mary Tan的密码从12345更改为54321。但如果影响了用户的其余密码。我真不知道如何修理它 输出: 桌子 我的代码: protected void btnChangePassword_Click(object sender, EventArgs e) { SqlDataReader dr = null; connectionString = Con
protected void btnChangePassword_Click(object sender, EventArgs e)
{
SqlDataReader dr = null;
connectionString = ConfigurationManager.ConnectionStrings["LeaveManagementCS"].ConnectionString;
conn = new SqlConnection(connectionString);
string sql = "UPDATE Staff Set Password=@NewPwd";
if (Session["Username"] != null)
{
sql += " WHERE UserName='" + Session["Username"].ToString() + "'";
}
string newPwd = tbNewPassword.Text;
try
{
cmd = new SqlCommand(sql, conn);
cmd.Parameters.AddWithValue("@NewPwd", tbNewPassword.Text);
conn.Open();
dr = cmd.ExecuteReader();
while(dr.Read())
{
if ((tbNewPassword.Text == dr["newPwd"].ToString()))
{
}
}
dr.Close();
int rows = cmd.ExecuteNonQuery();
if(rows > 0)
{
lblOutput.ForeColor = System.Drawing.Color.Green;
lblOutput.Text = "Password has been changed successfully";
}
else
{
lblOutput.ForeColor = System.Drawing.Color.Red;
lblOutput.Text = "Password does not match with our database records.";
}
}
catch(Exception ex)
{
lblOutput.Text = "Error Message: " + ex.Message;
}
finally
{
if (conn != null)
conn.Close();
}
}
这意味着您的
会话[“Username”]
在执行时为null
。因此Where条件将跳过并更新所有行。读者的作用是什么?这不是必需的,只需执行此任务,它将返回受影响的行数。因此,您可以通过以下方式执行此操作:
string connectionString = ConfigurationManager.ConnectionStrings["LeaveManagementCS"].ConnectionString;
if (Session["Username"] != null)
{
string sql = "UPDATE Staff Set Password=@NewPwd WHERE UserName=@Username";
using (SqlConnection conn = new SqlConnection(connectionString))
{
conn.Open();
using (SqlCommand cmd = new SqlCommand(sql, conn))
{
cmd.Parameters.AddWithValue("@NewPwd", tbNewPassword.Text);
cmd.Parameters.AddWithValue("@Username", Session["Username"]);
int rows = cmd.ExecuteNonQuery();
if (rows > 0)
{
lblOutput.ForeColor = System.Drawing.Color.Green;
lblOutput.Text = "Password has been changed successfully";
}
else
{
lblOutput.ForeColor = System.Drawing.Color.Red;
lblOutput.Text = "Password does not match with our database records.";
}
}
}
}
else
{
// Show message that Session is Empty Can't Proceed
}
重要提示:-不要将密码保存为纯文本,像这样更改您的方法(在开始时检查会话)
检查Session[“Username”],我认为该条件为false Session[“Username”]为null。很有可能。验证是否有此值。此代码有可能遭受SQL注入攻击。@AshwinNair:是吗?我们如何避免它们?参数化查询或存储过程。如果对您有所帮助,我们将非常高兴。
cmd.ExecuteReader()的目的是什么代码>这里
protected void btnChangePassword_Click(object sender, EventArgs e)
{
if (Session["Username"] == null)
{
//User is not logged-in. Display message or handle
return;
}
SqlDataReader dr = null;
connectionString = ConfigurationManager.ConnectionStrings["LeaveManagementCS"].ConnectionString;
conn = new SqlConnection(connectionString);
string sql = "UPDATE Staff Set Password=@NewPwd Where UserName = @UserName";
string newPwd = tbNewPassword.Text;
try
{
cmd = new SqlCommand(sql, conn);
cmd.Parameters.AddWithValue("@NewPwd", tbNewPassword.Text);
cmd.Parameters.AddWithValue("@UserName", Session["Username"].ToString());
conn.Open();
dr = cmd.ExecuteReader();
while (dr.Read())
{
if ((tbNewPassword.Text == dr["newPwd"].ToString()))
{
}
}
dr.Close();
int rows = cmd.ExecuteNonQuery();
if (rows > 0)
{
lblOutput.ForeColor = System.Drawing.Color.Green;
lblOutput.Text = "Password has been changed successfully";
}
else
{
lblOutput.ForeColor = System.Drawing.Color.Red;
lblOutput.Text = "Password does not match with our database records.";
}
}
catch (Exception ex)
{
lblOutput.Text = "Error Message: " + ex.Message;
}
finally
{
if (conn != null)
conn.Close();
}
}