- 在数据库TestSchool下建立表格TblUser
- 创建Windows窗体应用主窗体Form1
- 创建Windows窗体应用子窗体Form2
- 主窗体程序
//验证用户登录是否成功
private void button1_Click(object sender, EventArgs e)
{
#region 使用拼接sql的方式(不安全,有sql注入攻击问题)
1.采集数据
//string name = txtUserName.Text.Trim();
//string pwd = txtPwd.Text;//密码不用去掉空格
2.连接数据库校验是否成功
//string constr = @"server=DESKTOP-FAVDBP3\MSSQLSERVER2014;user=123;pwd=123;database=TestSchool";
//SqlConnection con = new SqlConnection(constr);
//string sql = string.Format("select count(*) from TblUser where UserName='{0}'and Pwd='{1}'",
// name, pwd);
//SqlCommand cmd = new SqlCommand(sql, con);
//con.Open();
// int count =(int) cmd.ExecuteScalar();
//if(count>0)
//{
// this.BackColor = Color.Green;
//}
//else
//{
// this.BackColor = Color.Red;
//}
//con.Close();
#endregion
//使用带参数的sql语句或者存储过程都能解决sql注入攻击问题
#region 使用带参数的sql语句
string constr = @"server=DESKTOP-FAVDBP3\MSSQLSERVER2014;user=123;pwd=123;database=TestSchool";
SqlConnection con = new SqlConnection(constr);
string sql = "select count(*) from TblUser where UserName=@name and Pwd=@pwd";
SqlCommand cmd = new SqlCommand(sql, con);
//1.当使用带参数的sql语句时
//1>sql语句中会出现参数
//2>如果sql语句中有参数,那么必须再command对象中提供对应的参数和值
//创建两个参数对象
//SqlParameter paramName = new SqlParameter("@name", SqlDbType.NVarChar, 30)
//{ Value = txtUserName.Text.Trim() };
//SqlParameter paraPwd = new SqlParameter("@pwd", SqlDbType.NVarChar, 50)
//{ Value = txtPwd.Text };
//cmd.Parameters.Add(paramName);
//cmd.Parameters.Add(paraPwd);
//-------------------------简便方法------------------------
SqlParameter[] pms = new SqlParameter[]//定义一个参数数组
{
new SqlParameter