作者:mobiledu2502869467 | 来源:互联网 | 2022-12-09 18:25
如何解决此错误字符串必须正好一个字符长.我正在分享这个功能,请查看此问题并解决此问题.
我突出显示你可以看到这一行.如果我们可以将char转换为字符串或其他东西,如何解决这个问题.
功能
public DataTable mlogin(string username, string password)
{
string cOnstring= ConfigurationManager.ConnectionStrings["Real"].ConnectionString;
SqlConnection con = new SqlConnection(constring);
password = Cryptographer.Encrypt(password);
con.Open();
if ( char.IsNumber( Convert.ToChar(username))) //String must be exactly one character long
{
cmd = new SqlCommand("select MD.MembershipID, MembershipName, address, ISNULL(FD.FileID,'') as FileID,ISNULL(Sec.SectorName, '') as SectorName, ISNULL(I.PlotNo, '') as PlotNo, MD.ClientPic from MemberMaster MM " +
" inner join MembersDetail MD on MD.MemberShipID = MM.MemberShipID and MD.Srno = 1 " +
" inner join MasterFileDetail FD on FD.MembershipID = MM.MemberShipID and FD.IsOwner = 1 and FD.IsTransfered = 1 " +
" inner join MasterFile FM on FM.FileID = FD.FileID and FM.Cancel = 0 " +
" inner join Sectors Sec on Sec.Phase_ID = FM.PhaseId and Sec.Sector_ID = FM.Sector_ID " +
" inner join PlotsInventory I on I.Phase_ID = FM.PhaseId and I.Plot_ID = FM.Plot_ID " +
" where MM.MemberShipID = '" + username + "' and MM.IsApproved = 1 and RTRIM(MM.LoginPwd) = '" + password + "' and MM.IsActive = 1 " +
" order by FD.FileID", con);
}
else
{
cmd = new SqlCommand("select User_Id, User_Name,User_Type, Group_Id from BriskSecurity.dbo.Users where User_Login='" + username + "' and User_password='" + password + "' ", con);
}
cmd.CommandType = CommandType.Text;
cmd.Parameters.AddWithValue("@MembershipID",username);
cmd.Parameters.AddWithValue("@LoginPwd", password);
DataTable mDT_User = new DataTable();
SqlDataAdapter da = new SqlDataAdapter(cmd);
da.Fill(mDT_User);
con.Close();
return mDT_User;
}
John_Reinsta..
6
你所做的事情根本就是错误的.
考虑用户名"John".你能将4个字符的字符串转换成单个字符吗?不可以.您无法使用它来验证整个用户名是否为数字.
相反,您有两种选择:
(1)验证用户名的每个字符是否为数字:
if (username.All(c => char.IsNumber(c)))
{
(2)将其解析为一个数字(假设它可以表示为数字,前导零并不重要)
if (int.TryParse(username, out var usernameAsInt))
{
接下来,我建议查看参数化的SQL查询.
想象一下以下查询:
"SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'"
如果我的用户名是什么会' OR username = 'administrator'; --
怎样?查询变为:
SELECT * FROM users WHERE username = '' OR username = 'administrator'; -- ' AND password = ''
之后的一切 - 成为评论.您可以在此处了解有关参数化SQL查询的更多信息.
1> John_Reinsta..:
你所做的事情根本就是错误的.
考虑用户名"John".你能将4个字符的字符串转换成单个字符吗?不可以.您无法使用它来验证整个用户名是否为数字.
相反,您有两种选择:
(1)验证用户名的每个字符是否为数字:
if (username.All(c => char.IsNumber(c)))
{
(2)将其解析为一个数字(假设它可以表示为数字,前导零并不重要)
if (int.TryParse(username, out var usernameAsInt))
{
接下来,我建议查看参数化的SQL查询.
想象一下以下查询:
"SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'"
如果我的用户名是什么会' OR username = 'administrator'; --
怎样?查询变为:
SELECT * FROM users WHERE username = '' OR username = 'administrator'; -- ' AND password = ''
之后的一切 - 成为评论.您可以在此处了解有关参数化SQL查询的更多信息.