 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / Languages / C# / February 2008about try catch statement
i have been doing this for awhile and i can't get it through.i am doind a password login using database get password from ms access then i am able to log in. but when i run this my catch did not run when it finish with try it will end by itself. this is my code. protected void btnLogin_Click( object sender, EventArgs e) { OleDbConnection conn5; try { string strConn5 = (string)System.Configuration.ConfigurationManager.AppSettings["Connectio nString"]; string strLogin = "SELECT * FROM Pass WHERE Login = ('" + txtLogin.Text + "') AND Password = ('" + txtPassword.Text + "')"; conn5 = new OleDbConnection(strConn5); OleDbCommand cmd5 = new OleDbCommand(strLogin, conn5); OleDbDataReader reader; conn5.Open(); reader = cmd5.ExecuteReader(); while (reader.Read()) { AdminMultiview.SetActiveView(AdminMainPage); } reader.Close(); conn5.Close(); } catch (Exception ex) { lblWrong.Text = "Please check your Login ID and Password again. "; lblWrong.Text += ex.Message; } } anybody can help me > i have been doing this for awhile and i can't get it through.i am doind > a password login using database get password from ms access then i am > able to log in. but when i run this my catch did not run when it finish > with try it will end by itself. this is my code. Are you getting an exception? If not, then you would not see the code in your catch clause execute. That's only there for if and when an exception is thrown. If you are getting an exception, where are you getting it and why are you sure you're getting an exception? Finally (no pun intended), you have a bug in that you've got closeable/disposable objects that won't get closed/disposed in the event of an exception. You can use the "using" statement to ensure that they are properly cleaned up. Pete > string strLogin = "SELECT * FROM Pass WHERE Login = ('" + > txtLogin.Text + "') AND Password = ('" + txtPassword.Text + "')"; This sort of thing makes your site very hackable by the not very advanced hackers. What happens if they enter a password like this: '; DELETE FROM Pass; SELECT ' You might be lucky with access but with sqlserver this would give you lots of trouble. >> string strLogin = "SELECT * FROM Pass WHERE Login = ('" + >> txtLogin.Text + "') AND Password = ('" + txtPassword.Text + "')"; [quoted text clipped - 3 lines] > > '; DELETE FROM Pass; SELECT ' It would need to be '); DELETE FROM Pass; -- Or some other examples '); DROP TABLE Pass; -- '); UPDATE Pass SET Password = (' > You might be lucky with access but with sqlserver this would give you > lots of trouble. To protect your site from SQL injection errors use parameters http://msdn2.microsoft.com/en-us/library/ms161953.aspx http://msdn2.microsoft.com/en-us/library/ms998271.aspx -- Misbah Arefin >>> string strLogin = "SELECT * FROM Pass WHERE Login = ('" + >>> txtLogin.Text + "') AND Password = ('" + txtPassword.Text + "')"; [quoted text clipped - 15 lines] >> You might be lucky with access but with sqlserver this would give you >> lots of trouble. > i have been doing this for awhile and i can't get it through.i am doind > a password login using database get password from ms access then i am [quoted text clipped - 11 lines] > string strLogin = "SELECT * FROM Pass WHERE Login = ('" + > txtLogin.Text + "') AND Password = ('" + txtPassword.Text + "')"; Well my login is: Robert') OR 1=1; -- http://xkcd.com/327/ Alun Harford Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.