更新时间:2023-11-28 14:19:04
作为一个良好的初步实践,尝试使用,让您持久参数
来避免SQL注入。
试一下liek这样的:
私人无效btnSignupNew_Click(对象发件人,EventArgs五)
{
如果(txtUsername.Text ==)
{
errorUsername.SetError(txtUsername,输入用户名);
}
,否则如果(txtPassword.Text ==)
{
errorPassword.SetError(txtPassword,输入有效的密码);
}
,否则
{
使用(SqlConnection的CON =新的SqlConnection(数据源=等))
{
con.Open();
布尔存在= FALSE;
//创建一个命令来查询用户名的使用存在
(CMD的SqlCommand =新的SqlCommand(从SELECT COUNT(*)[用户]其中UserName = @UserName,CON) )
{
cmd.Parameters.AddWithValue(用户名,txtUsername.Text);
存在=(INT)cmd.ExecuteScalar()> 0;
}
//如果存在,显示消息错误
如果(存在)
errorPassword.SetError(txtUsername,这个用户名已经被使用由其他用户。 );
,否则
{
//不存在,所以,坚持用用户
(CMD的SqlCommand =新的SqlCommand(INSERT INTO [用户]值(@Forname,@Surname ,@username,@Password),CON))
{
cmd.Parameters.AddWithValue(的forName,txtForname.Text);
cmd.Parameters.AddWithValue(姓,txtSurname.Text);
cmd.Parameters.AddWithValue(用户名,txtUsername.Text);
cmd.Parameters.AddWithValue(密码,txtPassword.Text);
cmd.ExecuteNonQuery();
}
}
con.Close();
}
}
}
i am trying to check against the database table "user" to see if the "username" exists so that the same username cannot be created again. I want this to be a validator so if the username exists the message box will show it exists.
Please guide me through this, i have the following code so far behind the button to add and check if username exists:
private void btnSignupNew_Click(object sender, EventArgs e)
{
if (txtUsername.Text == "")
{
errorUsername.SetError(txtUsername, "Enter A Username");
}
else if (txtPassword.Text == "")
{
errorPassword.SetError(txtPassword, "Enter A Valid Password");
}
//so if there isnt no error in the fields itll go on and add the data in to the database.
else{
//instance of sqlConnection
SqlConnection con = new SqlConnection("Data Source=etc");
//instance of sqlCommand
SqlCommand cmd = new SqlCommand("INSERT INTO [User] values ('" + txtForename.Text + "', '" + txtSurname.Text + "', '" + txtUsername.Text + "', '" + txtPassword.Text + "' )", con);
con.Open();
cmd.ExecuteNonQuery();
//query executed correcty or not
con.Close();
As a good pratice, try to keep your persistence using Parameters
to avoid SQL Injection.
Try something liek this:
private void btnSignupNew_Click(object sender, EventArgs e)
{
if (txtUsername.Text == "")
{
errorUsername.SetError(txtUsername, "Enter A Username");
}
else if (txtPassword.Text == "")
{
errorPassword.SetError(txtPassword, "Enter A Valid Password");
}
else
{
using (SqlConnection con = new SqlConnection("Data Source=etc"))
{
con.Open();
bool exists = false;
// create a command to check if the username exists
using (SqlCommand cmd = new SqlCommand("select count(*) from [User] where UserName = @UserName", con))
{
cmd.Parameters.AddWithValue("UserName", txtUsername.Text);
exists = (int)cmd.ExecuteScalar() > 0;
}
// if exists, show a message error
if (exists)
errorPassword.SetError(txtUsername, "This username has been using by another user.");
else
{
// does not exists, so, persist the user
using (SqlCommand cmd = new SqlCommand("INSERT INTO [User] values (@Forname, @Surname, @Username, @Password)", con))
{
cmd.Parameters.AddWithValue("Forname", txtForname.Text);
cmd.Parameters.AddWithValue("Surname", txtSurname.Text);
cmd.Parameters.AddWithValue("UserName", txtUsername.Text);
cmd.Parameters.AddWithValue("Password", txtPassword.Text);
cmd.ExecuteNonQuery();
}
}
con.Close();
}
}
}