1. 首页
  2. 问答
  3. 使用MySQL的CSharp Prepared Statement不起作用

使用MySQL的CSharp Prepared Statement不起作用

2017-07-25 63 views
0

你好, 首先我想告诉你,我是CSharp的新手,这就是为什么我不知道我用MySQL创建连接的方式是错误的,所以因为这个,我必须用Prepared Statement来修改它。请善待!使用MySQL的CSharp Prepared Statement不起作用

这是我试图使它工作的方法。

[HttpPost] 
    public ActionResult ValidatesLogin (User eUser) 
    { 
     var Email = eUser.Email; 
     var Password = eUser.Password; 
     try 
     { 
      MySqlCommand cmd = MySqlConn.cmd; 
       cmd = new MySqlCommand(" from User " + "WHERE [email protected] " + "AND [email protected]", 
        MySqlConn.conn); 
       cmd.Prepare(); 
       cmd.Parameters.AddWithValue("@email", username); 
       cmd.Parameters.AddWithValue("@password", password); 
       int result = (int)cmd.ExecuteReader(); 


      //encrypting the login user password 
      //the encrypter and decrypter must have same key which is 'kahat' below 
      var encryptpassword = EncryptHelper.EncryptString(eUser.Password, "kahat"); 

      // Returns true when username and password match: 
      if (result > 0) 
      { 
       System.Web.Security.FormsAuthentication.SetAuthCookie(eUser.Email, false); 
       return RedirectToAction("Index", "Index", new { area = "Index" }); 

      } 

      else 
      { 
       TempData["Message"] = "Login failed. Email or password supplied doesn't exist."; 
       return View("Index"); 
      } 
     } 
     catch (Exception ex) 
     { 
      return ThrowJsonError(ex); 
     } 
    }

而这下面的代码是我这工作得非常好实际的连接。

[HttpPost] 
     public ActionResult Validate(User eUser) 
     { 
      try 
      { 
       //Pull email and password from login page 
       var Email = eUser.Email; 
       var Password = eUser.Password; 

       //Pull first email and password from database 
       var currentUser = this.rpGeneric.Find<User>(" from User WHERE Email=:email ", new string[] { "email" }, new object[] { Email }).FirstOrDefault(); 

       //encrypting the login user password 
       //the encrypter and decrypter must have same key which is 'kahat' below 
       var encryptpassword = EncryptHelper.EncryptString(eUser.Password, "kahat"); 
       //Comparing user password in login page and current password in db 
       if (currentUser != null && encryptpassword.Equals(currentUser.Password, StringComparison.Ordinal) && currentUser.EmailConfirmed == true) 
       { 
        System.Web.Security.FormsAuthentication.SetAuthCookie(eUser.Email, false); 
        return RedirectToAction("Index", "Index", new { area = "Index" }); 
       } 
       else 
       { 
        TempData["Message"] = "Login failed. Email or password supplied doesn't exist."; 
        return View("Index"); 
       } 
      } 

      catch (Exception ex) 
      { 
       return ThrowJsonError(ex); 
      } 
     }

来源

2017-07-25 Antony Securo

+0

切勿将密码以纯文本形式存储在数据库中!您的问题表明您正在这样做,因为您将用户输入直接与您的查询进行比较。 https://stackoverflow.com/questions/1054022/best-way-to-store-password-in-database –

+0

**不要以纯文本**存储密码或加密密码,当攻击者获取数据库时,他也会获取加密密钥。仅仅使用散列函数是不够的,只是添加盐对提高安全性没有多大作用。使用随机盐在HMAC上迭代大约100毫秒的持续时间,并用散列表保存盐。使用诸如'ehash','PBKDF2','Bcrypt','passlib.hash'或类似函数的函数。关键是要让攻击者花费大量时间通过强力查找密码。 – zaph

+0

非常感谢你 –

回答

1

您的SQL查询不完整。

cmd = new MySqlCommand(" from User " + "WHERE [email protected] " + "AND [email protected]", 
       MySqlConn.conn);

你没有告诉MySQL中,你想要它做什么,你需要添加“选择”条款,即你从表中选择列名:

cmd = new MySqlCommand("select [*],[column, column...] from User " + "WHERE [email protected] " + "AND [email protected]", 
       MySqlConn.conn);

来源

2017-07-25 12:24:47 Ortund

+0

作为一种观察:你也不需要连接你的命令字符串。 ''select * from user where Email = @email and Password = @ password'正常工作 – Ortund

+0

非常感谢您的回答,但我也无法理解为什么cmd在这里:MySqlCommand cmd = MySqlConn.cmd;加下划线说对象不包含cmd的定义,也没有扩展方法cmd接受类型对象的第一个参数 –

+0

我不确定你指的是什么代码,因为我在你的文章中看不到那个代码,那个错误的含义是你试图引用一些不存在的东西。 – Ortund

1

好,看起来您在查询中缺少SELECT子句,除非它是如下所示的拼写错误

cmd = new MySqlCommand(" from User " + "WHERE [email protected] " + " 
         ^... Here

来源

2017-07-25 12:25:11 Rahul

相关问题

 相关问题