下面是登录窗体一:后台代码如下:using System;using System.Collections.Generic;using System。ComponentModel;using System。Data;using System。Drawing;using System.Linq;using System。Text;using System.Windows。Forms;using MrCy。BaseClass;//引入文件夹BaseClassusing System。Data.SqlClient;//引入连接数据库所需的类namespace MrCy{ public partial class frmLogin : Form { public frmLogin() { InitializeComponent(); } ///
/// 用户点击“登录”触发的事件 /// 〈/summary> /// 〈/param〉 /// 〈param name=”e”〉〈/param> private void btnLogin_Click(object sender, EventArgs e) { try { string UserName = txtUserName.Text。Trim();//猎取用户名 string PassWord = txtPwd.Text.Trim();//猎取密码 if (UserName == ””)//假如用户名为空值 { MessageBox.Show("请输入用户名", ”提示”, MessageBoxButtons。OK, MessageBoxIcon.Information);//弹出消息对话框 } else if (PassWord == "”)//假如密码为空值 { MessageBox.Show("请输入密码", ”提示", MessageBoxButtons.OK, MessageBoxIcon。Information);//弹出消息对话框 } else { SqlConnection conn = DBconn。Connection();//创建数据库连接对象 conn.Open();//打开数据库连接 string str = ”select count(*) from tb_User where UserName='" + UserName + "’ and UserPwd=’" + PassWord + "’";//建立查询数据库中tb_User表的用户名和对应密码的SQL字符串,但是这样的SQL语句存在SQL注入漏洞(用户名:ww' or 1=1——,密码:随便输) SqlCommand cmd = new SqlCommand(str, conn);//创建命令对象; int n = (int)cmd.ExecuteScalar(); if (n 〉= 1)//推断是否有匹配的用户名和密码 { string str1 = "select * from tb_User where UserName='” + UserName + "'";//根据用户名查询tb_User表中数据 cmd = new SqlCommand(str1, conn);//创建命令对象; SqlDataReader sdr = cmd.ExecuteReader();//创建数据读取器对象 sdr。Read();//读取数据 string UserPower = sdr[”Power”]。ToString()。Trim();//猎取数据...
