后台代码:
“`asp.net
using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
//using System.Data.Sql;
using System.Data.SqlClient;
public partial class LeaveMessage20110512 : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void leaveMsgButton1_Click(object sender, EventArgs e)
{
//打开数据库
SqlConnection myCon = new SqlConnection();
myCon.ConnectionString = ConfigurationManager.ConnectionStrings["leaveMessage20110512ConnectionString"].ToString();
myCon.Open();
using (SqlCommand myCmd = myCon.CreateCommand())
{
//myCmd.CommandText = "select * from leaveMessage20110512 where name='" + usernameTextBox2.Text + "'";
//这行注释代码可以引起 黑客 对 后台代码 漏洞攻击,例如拼凑代码登录,故为了尽量提高安全性,改为如下查询方式。
myCmd.CommandText = "select * from leaveMessage20110512 where name=@name";
myCmd.Parameters.Add(new SqlParameter("name", usernameTextBox2.Text));
//myCmd.ExecuteReader();
using (SqlDataReader myReader = myCmd.ExecuteReader())
{
if (myReader.Read())
{
//用户名存在
string dbpassword = myReader.GetString(myReader.GetOrdinal("password"));
if (passwordTextBox3.Text == dbpassword)
{
//在同一个链接中,如果sqldatareader没有关闭,那么是不能执行updat之类语句
//string dbmessage = myReader.GetString(myReader.GetOrdinal("message"));
update();
}
else
{
Response.Write("<script>alert('密码错误!')</script>");
}
}
else
{
Response.Write("<script>alert('必须输入正确的用户名和密码才能留言!')</script>");
}
}
}
}
private void update()
{
SqlConnection myCon = new SqlConnection();
myCon.ConnectionString = ConfigurationManager.ConnectionStrings["leaveMessage20110512ConnectionString"].ToString();
myCon.Open();
{
using (SqlCommand myupdateCmd = myCon.CreateCommand())
{
myupdateCmd.CommandText = "update leaveMessage20110512 set message=@message where name=@name";
myupdateCmd.Parameters.Add(new SqlParameter("message", messageTextBox1.Text));
myupdateCmd.Parameters.Add(new SqlParameter("name", usernameTextBox2.Text));
myupdateCmd.ExecuteReader();
Response.Write("成功留言!");
}
}
}
}
“`
效果展示:
可能出现的问题解决:
问题1:将截断字符串或二进制数据,语句已终止