Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/oracle/10.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
C# 我被asp.net登录表单卡住了_C#_Asp.net - Fatal编程技术网
Fatal编程技术网
  • csharp/
  • C# 我被asp.net登录表单卡住了

C# 我被asp.net登录表单卡住了

c# asp.net

C# 我被asp.net登录表单卡住了,c#,asp.net,C#,Asp.net,我已经创建了asp.net登录表单。问题是我想检查SQL数据库中是否存在用户名,但我甚至无法连接到数据库。错误消息是: 将varchar值“System.Web.UI.WebControls.TextBox”转换为数据类型int时,转换失败。 这是我的代码: protected void Page_Load(object sender, EventArgs e) { lblmessage.Visible = false; if (!IsPostBack) {

我已经创建了asp.net登录表单。问题是我想检查SQL数据库中是否存在用户名,但我甚至无法连接到数据库。错误消息是:

将varchar值“System.Web.UI.WebControls.TextBox”转换为数据类型int时,转换失败。

这是我的代码:

protected void Page_Load(object sender, EventArgs e)
{
    lblmessage.Visible = false;
    if (!IsPostBack)
    {
        lblsec.Text = Userutility.generateSecurity();
    }
}

protected void registerButton_Click(object sender, EventArgs e)
{
    if (txtusername.Text =="" || txtpassword.Text=="" || TextBox2.Text ==""|| sec_code.Text == "" )
    {
        lblmessage.Text = "لطفا فیلد هارا پر کنید";
        lblmessage.Visible = true;
    }
    else if (!Regex.IsMatch(txtusername.Text,@"^[a-zA-Z]{5,50}$"))
    {
        lblmessage.Text = "نام کاربری باید حداقل 5 کاراکتر و از کاراکتر های مجاز استفاده شود";
        lblmessage.Visible = true;
    }
    else if (!Regex.IsMatch(txtmail.Text, @"\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*"))
    {
        lblmessage.Text = "ایمیل وارد شده معتبر نمی باشد";
        lblmessage.Visible = true;
    }
    else if (txtpassword.Text != TextBox2.Text)
    {
        lblmessage.Text = "کلمه عبور شما تطابق ندارد";
        lblmessage.Visible = true;
    }
    else if (Userutility.user_login_exist(txtusername.Text))
    {
        lblmessage.Text = "این نام کاربری موجود میباشد";
        lblmessage.Visible = true;

    }
    else if (Convert.ToInt16(sec_code.Text) != Convert.ToInt16(Session["sec_code"].ToString()))
    {
        lblmessage.Text = "عبارت امنیتی صحیح نمی باشد";
        lblsec.Text = Userutility.generateSecurity();
        lblmessage.Visible = true;
    }
    else 
    {
        SqlConnection cnn = new SqlConnection("Data Source=.;Initial Catalog=EnglishDB;Integrated Security=true");
        SqlCommand cmd = new SqlCommand();
        cmd.Connection=cnn;
        string sql = @"Insert into student (Username,FirstName,LastName,Age,Major,City,Country,Password,Email,Cellphone)";
        sql += " VALUES('{0}','{1}','{2}','{3}','{4}','{5}','{6}','{7}','{8}','{9}')";
        sql = string.Format(sql, txtusername, txtlastname, txtlastname, txtage, txtmajor, txtcity, txtcountry, txtpassword, txtmail, txtcellphone);
        cnn.Open();
        cmd.CommandText = sql;
        cmd.ExecuteNonQuery();
        cnn.Close();
    }
}
您没有提到sql查询中文本框的
.Text
属性。相反,您提到的是控件名称

string.Format(sql, txtusername.Text ...
更好的方法是使用参数化查询

 using( SqlConnection cnn = new SqlConnection("Data Source=.;Initial Catalog=EnglishDB;Integrated Security=true"))
 {
    cnn.Open();
    SqlCommand cmd = new SqlCommand();
    cmd.Connection=cnn;
    string sql = @"Insert into student (Username,FirstName,LastName,Age,Major,City,Country,Password,Email,Cellphone)";
    sql += " VALUES(@Username,@FirstName,@LastName,@Age,@Major,@City,@Country,@Password,@Email,@Cellphone)";


    cmd.CommandText = sql;
    cmd.Parameters.AddWithValue(@Username, txtusername.Text);
    cmd.Parameters.AddWithValue(@FirstName, txtfirstname.Text);
    cmd.Parameters.AddWithValue(@LastName, txtlastname.Text);
    cmd.Parameters.AddWithValue(@Age, txtage.Text);
    cmd.Parameters.AddWithValue(@Major, txtmajor.Text);
    cmd.Parameters.AddWithValue(@City, txtcity.Text);
    cmd.Parameters.AddWithValue(@Country, txtcountry.Text);
    cmd.Parameters.AddWithValue(@Password, txtpassword.Text);
    cmd.Parameters.AddWithValue(@Email, txtmail.Text);
    cmd.Parameters.AddWithValue(@Cellphone, txtcellphone.Text);

    cmd.ExecuteNonQuery();        
 }
似乎您也在单引号中为
int
赋值。应该可以解决这里的所有问题。

尝试用此代码替换您的代码部分

string sql = @"Insert into student (Username,FirstName,LastName,Age,Major,City,Country,Password,Email,Cellphone)";
            sql += " VALUES('{0}','{1}','{2}',{3},'{4}','{5}','{6}','{7}','{8}','{9}')";
            sql = string.Format(sql, txtusername.Text, txtlastname.Text, txtlastname.Text, txtage.Text, txtmajor.Text, txtcity.Text, txtcountry.Text, txtpassword.Text, txtmail.Text, txtcellphone.Text);
有利的是,您的年龄字段是数据类型
int
。您从一个文本框中获取它的值,因此是一个字符串,因此您正在尝试将一个字符串插入到一个int字段中

使用:

然后将其作为参数传递:

string sql = @"Insert into student(Username,FirstName,LastName,Age,Major,City,Country,Password,Email,Cellphone)  VALUES(@Usr,@Fname,@LastName,@Age,@Major,@City,@Country,@Pass,@Email,@Cell)";
cmd.Parameters.AddWithValue("@Usr",txtusername);
//...
cmd.Parameters.AddWithValue("@age",age);
数据库中
username
列的数据类型是什么?建议:不要对参数使用string.Format,这是一种糟糕的做法。您应该使用for参数。在哪一行出现此错误?另外,请注意使用参数化查询。目前你的代码很容易受到SQL注入攻击。david我创建了这个方法公共静态字符串sanitize_SQL(字符串输入){return input.Replace(“'”,“'”);}Ricky用户名类型非常感谢你。你不知道我有多高兴如果它能工作,请别忘了将其标记为应答对不起,我是新的堆栈溢出,你能帮我做些什么吗?这很可能是从代码格式化SQL字符串最糟糕的方法之一。为什么?很可能是因为SQL注入是世界上的头号攻击,而这个查询是攻击者最好的朋友。下面哈桑给出的答案要好得多。在变量进入SQL字符串之前,需要对其进行参数化。谢谢。我还有禁止sql注入的类。 
string sql = @"Insert into student(Username,FirstName,LastName,Age,Major,City,Country,Password,Email,Cellphone)  VALUES(@Usr,@Fname,@LastName,@Age,@Major,@City,@Country,@Pass,@Email,@Cell)";
cmd.Parameters.AddWithValue("@Usr",txtusername);
//...
cmd.Parameters.AddWithValue("@age",age);