SqlCommand.ExecuteScalar()判断用户登录的另一种方法:
Dispose():直接销毁,不可再次利用;
Close():关闭连接(关闭后可再次利用)
Using在除了作用域以后调用dispose,SqlConnection、FileStream的内部都会作这样的判断:判断有没有close,若没有就先 close再dispose。
下述代码将很容易被注入攻击(如何防注入呢?):
string dataDir = AppDomain.CurrentDomain.BaseDirectory;
if(dataDir.EndsWith(@"\bin\Debug\")||dataDir .EndsWith (@"\bin\Release"))
{
dataDir = System.IO.Directory.GetParent(dataDir).Parent.Parent.FullName;
AppDomain.CurrentDomain.SetData("DataDirectory",dataDir );
}
Console.WriteLine ("请输入用户名:");
string UserName = Console.ReadLine();
Console.WriteLine("请输入密码:");
string password = Console.ReadLine();
using (SqlConnection conn = new SqlConnection(@"Data Source =.\SQLEXPRESS;AttachDBFilename = |DataDirectory|\Database1.mdf;Integrated Security= true ;User Instance=true")) //该处用 using()的目的是释放内存,以下也一样
{
conn.Open();
using (SqlCommand com = conn.CreateCommand())
{
com.CommandText = "select count(*) from Table4 where Admin = '"+UserName+"'and PassWord= '"+password +"'";
int i = Convert.ToInt32(com.ExecuteScalar());
if(i>0)
{
Console.WriteLine ("登陆成功");
}
else
{
Console.WriteLine ("用户名或密码错误");
}
}
}
Console.ReadKey ();
参数化查询(不会被注入攻击):
string dataDir = AppDomain.CurrentDomain.BaseDirectory;
if(dataDir.EndsWith(@"\bin\Debug\")||dataDir .EndsWith (@"\bin\Release"))
{
dataDir = System.IO.Directory.GetParent(dataDir).Parent.Parent.FullName;
AppDomain.CurrentDomain.SetData("DataDirectory",dataDir );
}
Console.WriteLine ("请输入用户名:");
string UserName = Console.ReadLine();
Console.WriteLine("请输入密码:");
string password = Console.ReadLine();
using (SqlConnection conn = new SqlConnection(@"Data Source =.\SQLEXPRESS;AttachDBFilename = |DataDirectory|\Database1.mdf;Integrated Security= true ;User Instance=true")) //该处用 using()的目的是释放内存,以下也一样
{
conn.Open();
using (SqlCommand com = conn.CreateCommand())
{
com.CommandText = "select count(*) from Table4 where Admin= @username and PassWord = @PassWord";
//注意该处的@username 和@PassWord不要和用户输入的变量同名,否则将发生未知错误
com.Parameters.Add(new SqlParameter ("username",UserName ));
com.Parameters.Add(new SqlParameter ("PassWord",password));
int i = Convert.ToInt32(com.ExecuteScalar());
if (i > 0)
{
Console.WriteLine("登陆成功");
}
else
{
Console.WriteLine("用户名或密码错误");
}
}
}
Console.ReadKey ();