方法一:(先根据用户名查询对应的信息,再读取密码与输入密码进行判断)
Console.WriteLine("请输入用户名");
string UserName = Console.ReadLine();
Console.WriteLine("请输入密码");
string Password = Console.ReadLine();
using (SqlConnection conn = new SqlConnection(@"Data Source=.\sqlexpress;AttachDBFilename=|DataDirectory|\Database1.mdf;Integrated Security=true;User Instance=true"))
{
conn.Open();
using (SqlCommand cmd = conn.CreateCommand())
{
cmd.CommandText = "select * from T_Users where UserName='" + UserName + "'";
//先到表中查用户输入的用户名对应的信息
using (SqlDataReader reader = cmd.ExecuteReader())
{
if (reader.Read())
{
//用户名存在
string dbPassword = reader.GetString(reader.GetOrdinal("Password")); //读取数据库中对应的用户名的密码
if (Password == dbPassword) //数据库密码和用户输入密码相同,则登录成功
{
Console.WriteLine("登录成功");
}
else
{
Console.WriteLine("密码错误");
}
}
else
{
Console.WriteLine("用户名错误");
}
}
}
方法二:(根据用户名和密码查询是否存在数据)
Console.WriteLine("请输入用户名");
string UserName = Console.ReadLine();
Console.WriteLine("请输入密码");
string Password = Console.ReadLine();//输入1' or '1'='1 造成sql注入漏洞攻击
using (SqlConnection conn = new SqlConnection(@"Data Source=.\sqlexpress;AttachDBFilename=|DataDirectory|\Database1.mdf;Integrated Security=true;User Instance=true"))
{
conn.Open();
using (SqlCommand cmd = conn.CreateCommand())
{
cmd.CommandText = "select count(*) from T_Users where UserName='" + UserName + "','" + Password + "'"; //根据用户名密码查询数据库是否存在数据
int i = Convert.ToInt32(cmd.ExecuteScalar());
if (i > 0)
{
Console.WriteLine("登录成功");
}
else
{
Console.WriteLine("用户名或密码错误");
}
}
}
方法三:(思路同二,但为了避免密码漏洞攻击,采用了参数占位的形式)
Console.WriteLine("请输入用户名");
string UserName = Console.ReadLine();
Console.WriteLine("请输入密码");
string Password = Console.ReadLine();//输入1' or '1'='1 造成sql注入漏洞攻击
using (SqlConnection conn = new SqlConnection(@"Data Source=.\sqlexpress;AttachDBFilename=|DataDirectory|\Database1.mdf;Integrated Security=true;User Instance=true"))
{
conn.Open();
using (SqlCommand cmd = conn.CreateCommand())
{
cmd.CommandText = "select count(*) from T_Users where UserName=@UN and Password=@P";
cmd.Parameters.Add(new SqlParameter("UN", UserName));
cmd.Parameters.Add(new SqlParameter("P", Password));
int i = Convert.ToInt32(cmd.ExecuteScalar());
if (i > 0)
{
Console.WriteLine("登录成功");
}
else
{
Console.WriteLine("用户名或密码错误");
}
}
}