用ado.net制作简单的用户留言板(2.后台)

九九

13 年前

后台代码：

```asp.net
using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
//using System.Data.Sql;
using System.Data.SqlClient;

public partial class LeaveMessage20110512 : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}

protected void leaveMsgButton1_Click(object sender, EventArgs e)
{
    //打开数据库
    SqlConnection myCon = new SqlConnection();
    myCon.ConnectionString = ConfigurationManager.ConnectionStrings["leaveMessage20110512ConnectionString"].ToString();
    myCon.Open();
    using (SqlCommand myCmd = myCon.CreateCommand())
    {

        //myCmd.CommandText = "select * from leaveMessage20110512 where name='" + usernameTextBox2.Text + "'";
        //这行注释代码可以引起 黑客 对 后台代码 漏洞攻击,例如拼凑代码登录，故为了尽量提高安全性，改为如下查询方式。
        myCmd.CommandText = "select * from leaveMessage20110512 where name=@name";
        myCmd.Parameters.Add(new SqlParameter("name", usernameTextBox2.Text));
        //myCmd.ExecuteReader();
        using (SqlDataReader myReader = myCmd.ExecuteReader())
        {
            if (myReader.Read())
            {
                //用户名存在
                string dbpassword = myReader.GetString(myReader.GetOrdinal("password"));
                if (passwordTextBox3.Text == dbpassword)
                {
                    //在同一个链接中，如果sqldatareader没有关闭，那么是不能执行updat之类语句
                    //string dbmessage = myReader.GetString(myReader.GetOrdinal("message"));
                    update();
                }
                else
                {
                    Response.Write("<script>alert('密码错误！')</script>");
                }
            }
            else
            {
                Response.Write("<script>alert('必须输入正确的用户名和密码才能留言！')</script>");
            }
        }
    }
}
private void update()
{
    SqlConnection myCon = new SqlConnection();
    myCon.ConnectionString = ConfigurationManager.ConnectionStrings["leaveMessage20110512ConnectionString"].ToString();
    myCon.Open();
    {
        using (SqlCommand myupdateCmd = myCon.CreateCommand())
        {
            myupdateCmd.CommandText = "update leaveMessage20110512 set message=@message where name=@name";
            myupdateCmd.Parameters.Add(new SqlParameter("message", messageTextBox1.Text));
            myupdateCmd.Parameters.Add(new SqlParameter("name", usernameTextBox2.Text));
            myupdateCmd.ExecuteReader();
            Response.Write("成功留言！");
        }
    }
}

}
```

效果展示：

可能出现的问题解决：
问题1：将截断字符串或二进制数据,语句已终止

问题2：已有打开的与此命令相关联的 DataReader，必须首先将它关闭