分享程序员开发的那些事...
更新时间:2023-02-12 20:30:27
嗯... GETDATE是当前日期的SQL函数,与C#无关,但是它可以正常工作,这是一个相当合理的函数,因为它意味着所有时间戳都是使用相同的时钟设置的。 />
所以你要做的就是设置一个简单的SQL查询来进行更新:更新 MyTable SET LastLoginDate = GETDATE() WHERE UserId = ...并提供您的实际用户标识信息而不是省略号。
C#代码非常简单 - 它与INSERT的代码完全相同,并且(希望)使用参数化查询 - 但我不知道你正在使用的许多方法中的哪一种,所以我将离开确切的实现给你!
这是我的登录代码我在哪里放了UPDATE MyTable SET LastLoginDate = GETDATE()在哪里UserId = ...代码在protected void login_btn_Click( object sender,EventArgs e)
{
int cnt = 0 ;
// SqlDataAdapter ad1 = new SqlDataAdapter(@select User from UserReg WHERE Name =' + TextBox1.Text +'AND Password ='+ TextBox2.Text +',con);
// DataTable dt = new DataTable();
SqlCommand cmd;
SqlDataReader dr;
cmd = new SqlCommand( select Id来自UserReg WHERE Name =' + username.Text + 'AND Password =' + password.Text + ');
con.Open();
cmd.Connection = con;
cmd.ExecuteNonQuery();
dr = cmd.ExecuteReader();
while (dr.Read())
{
/ / ad1.Fill(dt);
cnt = Convert.ToInt32(dr [ Id]。ToString());
}
如果(cnt > 0 )
{
Response.Redirect( profile.aspx?id = + cnt); // Response.Redirect(veinpage.aspx?id =+ cnt);
}
else
{
loginchk.Text = 用户名或密码无效;
this .loginchk.ForeColor = Color.Red;
}
}
}
哦,亲爱的...
忘掉你想要做的更新,并仔细查看你的代码。因为你在那里我的朋友,代码是极其危险的,并且容易被滥用。
例如,你知道我可以在没有任何密码或用户名的情况下登录你的系统吗?在世界上任何地方?我想成为谁?或者我可以在不登录的情况下删除整个数据库?它被称为SQL注入,你可以广泛使用它。
此外,你以明文形式存储密码!你不看新闻吗?你不明白这有多危险吗?
你真的需要解决这两个问题 - 这并不复杂 - 而且我还建议你停止使用自制酿造登录系统并查看会员资格 [ ^ ] - 这是易于遵循和实施,它提供了比你想要实现的更好的安全性。
但为了善良,请始终使用参数化查询 - 或者你***的朋友将删除你的数据库只是看到你脸上的表情!
想想我在开玩笑吗?
尝试使用这个用户名登录,没有密码:
x'或Id> 0; -
,GETDATE()) is the function of get current date but how to save the current date to database and the last logidate any simple ideas..?
Well...GETDATE is the SQL function for the current date and has nothing to do with C#, but it works, yes - and it's a reasonably sensible function to use because it means all timestamps are set using the same clock.
So all you have to do is set up a simple SQL query to do an UPDATE:UPDATE MyTable SET LastLoginDate=GETDATE() WHERE UserId=...and supply your actual user identification information instead of the ellipsis.
The C# code is pretty trivial - it's exactly the same as your code for an INSERT, and (hopefully) uses a parameterized query - but I don't know which of the many ways to do that you are using, so I'll leave the exact implementation to you!
here is my login code where did i put "UPDATE MyTable SET LastLoginDate=GETDATE() WHERE UserId=... " code inprotected void login_btn_Click(object sender, EventArgs e) { int cnt = 0; // SqlDataAdapter ad1 = new SqlDataAdapter(@"select Id from UserReg WHERE Name='" + TextBox1.Text + "' AND Password='" + TextBox2.Text + "'", con); // DataTable dt = new DataTable(); SqlCommand cmd; SqlDataReader dr; cmd = new SqlCommand("select Id from UserReg WHERE Name='" + username.Text + "' AND Password='" + password.Text + "'"); con.Open(); cmd.Connection = con; cmd.ExecuteNonQuery(); dr = cmd.ExecuteReader(); while (dr.Read()) { // ad1.Fill(dt); cnt = Convert.ToInt32(dr["Id"].ToString()); } if (cnt > 0) { Response.Redirect("profile.aspx?id=" + cnt); //Response.Redirect("veinpage.aspx?id=" + cnt); } else { loginchk.Text = "Invalid username or password"; this.loginchk.ForeColor = Color.Red; } } }
Oh dear...
Forget what you are trying to do with the updates, and have a good hard look at your code. Because what you have there my friend, is code that is supremely dangerous, and wide open to abuse.
For example, did you know I could log into your system without any password, or indeed username, for anywhere in the world? As anyone I wanted to? Or I could just delete your whole database without logging in? It's called SQL Injection, and you are wide, wide open to it.
In addition, you are storing passwords in clear text! Do you not read the news? Do you not understand how dangerous that is?
You seriously need to fix both of those - it isn't complex - and I would also recommend that you stop using a "home brewed" login system and look at Membership[^] - it's easy to follow and implement, and it gives you a lot better security than you are trying to implement.
But for goodness sake, use parameterised queries at all times - or your best friend will delete your DB just to see the look on your face!
Think I'm joking?
Try to log in with this username and no password:x' OR Id > 0;--