用户登入时SQL数据检索有关问题

用户登入时SQL数据检索问题!
小弟初学asp.net

在制作登入页面时遇到了点问题,望高手指教!

SqlConnection db = new SqlConnection( "server=WWW-1GJV7YP3TQ2; Database=yc-hardadmin;user ID=sb;password= ");
string sel = "select * from hkhda where username= 'TextBox1.Text ' and pws= 'TextBox2.Text ' ";
SqlCommand com = new SqlCommand(sel, db);
db.Open();
SqlDataReader rea = com.ExecuteReader();
rea.Read();
if (参数)
{
Panel1.Visible = false;
Panel2.Visible = true;
}
................................省略

其中,要检索数据库中存在这一条记录则执行大括号中的语句

Panel1.Visible = false;
Panel2.Visible = true;

[解决办法]
上面这种写法存在严重的SQL注入漏洞，建议改为

SqlConnection db = new SqlConnection( "server=WWW-1GJV7YP3TQ2; Database=yc-hardadmin;user ID=sb;password= ");
string sel = "select * from hkhda where username= @username and pws= @pws ";
SqlCommand com = new SqlCommand(sel, db);
cmd.Parameters.Add( "@UserName ", SqlDbType.VarChar).Value = TextBox1.Text.Trim();
cmd.Parameters.Add( "@pws ", SqlDbType.VarChar).Value = TextBox2.Text.Trim();
db.Open();
SqlDataReader rea = com.ExecuteReader();
if (rea.HasRows) //rea.Read()也可
{
Panel1.Visible = false;
Panel2.Visible = true;
}
rea.Close();
db.Close();

用户登入时SQL数据检索有关问题

热点推荐