public partial class login21 : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void Button1_Click(object sender, EventArgs e)
{
string constr = "data source=.;initial catalog=T_User;user id=sa;password=910809";
//以上这种拼接sql语句的方法有sql注入的漏洞攻击的问题 jk' or 1=1--
//如果避免注入漏洞攻击呢?使用参数的方法或存储过程的方法
using (SqlConnection con = new SqlConnection(constr))
{
string sql = string.Format("select count(*) from users where Fname=@username and Fpassword=@password ");
using (SqlCommand cmd = new SqlCommand(sql, con))
{
con.Open();
SqlParameter[] pms = new SqlParameter[]
{
new SqlParameter ("@username",txtuUserName .Text .Trim ()),
new SqlParameter ("@password",txtuPwd .Text .Trim ())
};
cmd.Parameters.AddRange(pms);
//在数据服务器端执行sql语句前需要告诉它@username,@password是谁
//cmd.Parameters.AddWithValue("@username",txtuUserName .Text .Trim ());
//cmd.Parameters.AddWithValue("@password",txtuPwd .Text .Trim ());
int r = Convert.ToInt32(cmd.ExecuteScalar());
if (r > 0)
{
Response.Write("登陆成功");
}
else
{
Response.Write("登陆失败");
}
}
}
}
}