Question

目前我试图让人们重置用户密码。我的代码似乎工作正常，我能够查询数据库，并且还发送带有密码的电子邮件，我唯一的问题是在数据读取器中运行更新命令查询另外，我如何在SQL查询中散列纯文本密码。

谢谢

下面是我的代码：

protected void Page_Load(object sender, EventArgs e)
{ }

protected void Button1_Click(object sender, EventArgs e)
{

    string connetionString = null;
    string sqlupdate = null;
    string sqlCheckUser = null;
    string sqlCheck = null;
    string user = username.Text;
    string password = password_row.Text;
    //Simple Text Field Vaildator
    if (user == String.Empty)
    {
        required.Text = "Please Enter Username";
        return;
    }//end if 
    else 
    {
        SqlConnection cnn;
        SqlCommand command;
        string ConnectionString = ConfigurationManager.ConnectionStrings["myConnectionString"].ConnectionString;
        sqlCheckUser = "SELECT * FROM Users WHERE LoginID='" + user + "'";

        sqlupdate = "UPDATE Users SET Password='" + password + "' WHERE LoginID='" + user + "'";
        cnn = new SqlConnection(ConnectionString);

        try
        {
            cnn.Open();
            using (command = new SqlCommand(sqlCheckUser, cnn))
            {
                SqlDataReader dataReader = command.ExecuteReader(); //Not used
                while (dataReader.Read())
                {
                string email = (string)dataReader["Email"];
                string userName = (string)dataReader["LoginID"];
                TextBox1.Text = Convert.ToString(email); //Testing OutPut
                required.Text = "Please Check your Email Address for New Password"; 
                if (userName == user)
                {
                    SqlCommand update = new SqlCommand(sqlupdate, cnn);
                    required.Text = "Please Check your Email Address for New Password"; 
                    /*
                     * Send Email to User with New Password.
                     */
                     MailMessage mail = new MailMessage();
                     SmtpClient SmtpServer = new SmtpClient("");

                     mail.From = new MailAddress("");
                     mail.To.Add(email);
                     mail.Subject = "FTP Password Reset";
                     mail.Body = "The Password for your FTP account has been reset. Your new password is the following:   " + password;
                     SmtpServer.Send(mail);
                     /*
                      * End of Email
                      **/

                }//End If
                }//End While
            }//End Using
            command.Dispose();//Dispose of Command
            cnn.Close();//Close Database Connection
        }//End Try
        catch (Exception ex)
        {
            TextBox1.Text = Convert.ToString("Can not open connection ! ");//Output on Connection
        }//End Catach
    }//End Else 
}//End Button on Click

Answer 1

上面的代码有点难以理解，但我自己完成了这一切，这应该有效。您需要做什么在执行更新之前，请关闭锁定SqlDataReader对象的SqlCommand对象。

和

永远不要在您的查询中注明原始用户输入！

使用参数代替，以避免成为麻烦的SQL注入攻击的简单目标。

所以，当一切都说完了，我可能会或多或少地这样做：

protected void Button1_Click(object sender, EventArgs e)
    {
        string sqlupdate = null;
        string sqlCheckUser = null;
        string sqlCheck = null;
        string user = username.Text;
        string password = password_row.Text;

        if (user == String.Empty)
        {
            required.Text = "Please Enter Username";
            return;
        }
        else
        {
            try
            {
                SqlConnection cnn = new SqlConnection(ConfigurationManager.ConnectionStrings["myConnectionString"].ConnectionString);
                SqlCommand command;
                SqlDataReader dataReader;

                cnn.Open();
                //NEVER EVER use raw input from the user in a SQL query, use parameters at all times to
                //prevent SQL Injection
                command = new SqlCommand("SELECT * FROM Users WHERE LoginID=@User", cnn);
                command.Parameters.Add("@User",SqlDbType.NVarChar,100).Value = user;

                dataReader = command.ExecuteReader();

                if(dataReader.HasRows)
                {
                    dataReader.Read();
                    string email = dataReader["Email"].ToString();
                    string userName = dataReader["LoginID"].ToString();

                    TextBox1.Text = email;
                    required.Text = "Please Check your Email Address for New Password";

                    dataReader.Close(); //All data is fetched, Close the datareader in order to be able to run the update command

                    SqlCommand update = new SqlCommand("UPDATE Users SET Password=@Password WHERE LoginID=@User", cnn);
                    command.Parameters.Add("@Password",SqlDbType.NVarChar,255).Value = password;
                    command.Parameters.Add("@User",SqlDbType.NVarChar,100).Value = user;
                    command.ExecuteNonQuery();

                    required.Text = "Please Check your Email Address for New Password";

                    MailMessage mail = new MailMessage();
                    SmtpClient SmtpServer = new SmtpClient("");

                    mail.From = new MailAddress("");
                    mail.To.Add(email);
                    mail.Subject = "FTP Password Reset";
                    mail.Body = "The Password for your FTP account has been reset. Your new password is the following:   " + password;
                    SmtpServer.Send(mail);
                }
                else
                {
                    dataReader.Close();
                    //No user was found, do some fancy thing here!
                }

                command.Dispose();
                cnn.Close();
                cnn.Dispose();
            }
            catch (Exception ex)
            {
                TextBox1.Text = Convert.ToString("Can not open connection ! ");
            }
        }
    }

Answer 2

我关闭了SQL连接，并在if语句中打开了一个新的连接似乎有效，但确实给了我Catch Error。但并不担心，因为它似乎正在起作用。

dataReader C＃中的SQL更新查询

2 个答案: