protected void Button1_Click(object sender, EventArgs e)
{
string myconnectionstring = System.Configuration.ConfigurationManager.AppSettings["connstr"];
string mycommandstring = "SELECT * FROM who where who_name=" + "’" + TextBox1.Text + "’" + "and who_pwd = " + "’" + TextBox2.Text+ "’";
SqlConnection myconnection = new SqlConnection(myconnectionstring);
SqlCommand mycommand = new SqlCommand(mycommandstring, myconnection);
myconnection.Open();
SqlDataReader myreader = mycommand.ExecuteReader();
if (myreader.Read())
{
Session["name"] = myreader["who_name"].ToString();
Response.Redirect("postdoing.aspx");
}
else
{
Response.Write("<script>alert(‘用户名或密码不正确,请重新登陆’);</script>");
Response.Redirect("login.aspx");
}
}
protected void Button2_Click(object sender, EventArgs e)
{
TextBox1.Text = TextBox2.Text = "";
}
string mycommandstring = "SELECT * FROM who where who_name=" + "’" + TextBox1.Text + "’" + "and who_pwd = " + "’" + TextBox2.Text+ "’";
这种有明显的漏洞攻击!
请更改吧!
jeffersyuan兄,这个该怎么改呢
我刚从asp转成.net选手,对安全这方面还没研究。
请指点一二。