这是我的协会表的架构:
Society(SocietyName, Email, Password, Status)
因此,基本上,我正在创建一个登录页面,用户在其中输入电子邮件和密码。如果存在与数据库中的电子邮件匹配的电子邮件,则它将检查状态是否等于校长或教职员工或学生事务办公室。基于此,它重定向到不同的页面。
以下是我的代码:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
namespace WebApplication3 {
public partial class WebForm1 : System.Web.UI.Page {
MySql.Data.MySqlClient.MySqlConnection conn;
MySql.Data.MySqlClient.MySqlCommand cmd;
MySql.Data.MySqlClient.MySqlDataReader reader;
String QueryStr;
String name;
protected void Page_Load(object sender, EventArgs e) { }
protected void clicked(object sender, EventArgs e) {
String ConnString = System.Configuration.ConfigurationManager.ConnectionStrings["Webappconstring"].ToString();
conn = new MySql.Data.MySqlClient.MySqlConnection(ConnString);
conn.Open();
String QueryStr2 = "";
QueryStr = "";
QueryStr = "Select * from the_society_circle.society WHERE Email= '" + Emailtxt.Text + "' And Psswd=' " + passwordtxt.Text + "'";
cmd = new MySql.Data.MySqlClient.MySqlCommand(QueryStr, conn);
reader = cmd.ExecuteReader();
QueryStr2 = "Select Status from the_society_circle.society where Email = '" + QueryStr + "'";
name = "";
while (reader.HasRows && reader.Read()) {
name = reader["Email"].ToString();
}
if ((QueryStr2== "president" || QueryStr2 == "faculty member") && reader.HasRows ) {
Session["Email"] = name;
Response.BufferOutput = true;
Response.Redirect("WebForm2.aspx", true);
} else {
Emailtxt.Text = "invalid user";
}
conn.Close();
}
}
}
问题是if语句从不执行,并且始终打印无效用户。
PS:我是Web开发的新手:D
最佳答案
正如codemonkey所写,您的条件永远不会实现。
您执行以下操作:if ((QueryStr2== "president" || Quer...评估为if (("Select Status from the_society_circle.society where Email = '" + QueryStr + "'"== "president" || Quer...。因此,您正在比较两个不同的字符串,这些字符串永远不会成功。
我试图重构您的代码,并提出了这个(未经测试,从头开始编写):
首先,将与数据库相关的代码放入一个单独的类(MySqlAccess)中,并处理数据库对象(将它们放入using -blocks中,在离开该块时调用Dispose())。
不要在SQL查询中直接使用用户输入。记住“所有输入都是邪恶的”。因此,最好使用参数化查询。
比较失败的原因是您没有执行第二个查询。现在,代码仅执行一个查询,并返回用户状态。
所以总结一下:
请牢记SQL注入和其他恶意操作。例如,查看以下文章:http://msdn.microsoft.com/en-us/library/ms161953%28v=sql.105%29.aspx
永远不要将密码以明文形式存储在数据库中。那是您应该关心的下一件事。编辑数据库以将密码存储为加盐的密码哈希,然后仅比较哈希。首先,请查看本文:http://www.codeproject.com/Articles/704865/Salted-Password-Hashing-Doing-it-Right
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using MySql;
namespace WebApplication1
{
public partial class WebForm1 : System.Web.UI.Page
{
private string _connectionString;
protected void Page_Load(object sender, EventArgs e)
{
_connectionString = System.Configuration.ConfigurationManager.ConnectionStrings["Webappconstring"].ToString();
}
protected void Clicked(object sender, EventArgs e)
{
string email = Emailtxt.Text;
string password = passwordtxt.Text;
var mysqlAccess = new MySqlAccess(_connectionString);
string status = mysqlAccess.GetStatus(email, password);
if (status == Constants.Status.PRESIDENT || status == Constants.Status.FACULTY_MEMBER)
{
Session["Email"] = email;
Response.Redirect("WebForm2.aspx", true);
}
else
{
Emailtxt.Text = "invalid user";
}
}
}
internal class MySqlAccess
{
private readonly string _connectionString;
public MySqlAccess(string connectionString)
{
_connectionString = connectionString;
}
public string GetStatus(string email, string password)
{
using (var conn = new MySqlConnection(_connectionString))
{
conn.Open();
string query = "SELECT Status FROM the_society_circle.society WHERE Email=@Email AND Psswd=@Password;";
using (var cmd = new MySqlCommand(query, conn))
{
cmd.Parameters.AddWithValue("@Email", email);
cmd.Parameters.AddWithValue("@Password", password);
using (var reader = cmd.ExecuteReader())
{
if (reader.HasRows && reader.Read())
{
return reader["Status"].ToString();
}
}
}
}
return string.Empty;
}
}
internal class Constants
{
internal class Status
{
public const string PRESIDENT = "president";
public const string FACULTY_MEMBER = "faculty member";
}
}
}
关于c# - 如何从查询中获取值并将其与字符串进行比较?,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/27677923/