using System; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Drawing; using System.Linq; using System.Text; using System.Windows.Forms; //加密的名称空间引入 using System.Security.Cryptography; // using System.Data.SqlClient; namespace ch02 { public partial class Form1 : Form { public Form1() { InitializeComponent(); } private void btnRegist_Click(object sender, EventArgs e) { if (Check()) { string strName = txtName.Text.Trim(); string strUserName = txtUserName.Text.Trim(); string strPwd = PwdForMD5(txtPwd.Text);//得到密码并加密 string strDesc = txtDesc.Text; //注册 //InsertData(strName, strUserName, strPwd, strDesc); InsertDataForParameterRange(strName, strUserName, strPwd, strDesc); } } #region 采取sql语句拼凑方式,易被Sql注入式攻击 /// <summary> /// 注册方法一 /// </summary> /// <param name="strName"></param> /// <param name="strUserName"></param> /// <param name="strPwd"></param> /// <param name="strDesc"></param> private void InsertData(string strName, string strUserName, string strPwd, string strDesc) { // string strSql = "insert into [User]([Name],UserName,Password,TypeID,[Desc]) "; strSql += " values('" + strName + "','" + strUserName + "','" + strPwd + "',1,'" + strDesc + "')"; if (DBHelper.ExecuteNonQuery(strSql) > 0) { MessageBox.Show("注册成功!", "系统提示"); } else MessageBox.Show("注册失败!", "系统提示"); } #endregion #region 采用参数形式执行,可以防止注入式攻击,参数是一个个添加 /// <summary> /// 采用参数形式执行命令 /// </summary> /// <param name="strName"></param> /// <param name="strUserName"></param> /// <param name="strPwd"></param> /// <param name="strDesc"></param> private void InsertDataForParameter(string strName, string strUserName, string strPwd, string strDesc) { string strSql = "insert into [User]([Name],UserName,Password,TypeID,[Desc]) "; strSql += " values(@Name,@UserName,@Password,1,@Desc)"; SqlParameter param1 = new SqlParameter(); param1.ParameterName="@Name"; param1.SqlDbType = SqlDbType.VarChar; param1.Size = 16; param1.Value = strName; SqlParameter param2 = new SqlParameter("@UserName", SqlDbType.VarChar, 16); param2.Value = strUserName; SqlParameter param3 = new SqlParameter("@Password", SqlDbType.VarChar, 64); param3.Value = strPwd; SqlParameter param4 = new SqlParameter("@Desc", SqlDbType.VarChar, 256); param4.Value = strDesc; SqlCommand comm = new SqlCommand(strSql,DBHelper.Conn); comm.Parameters.Add(param1); comm.Parameters.Add(param2); comm.Parameters.Add(param3); comm.Parameters.Add(param4); DBHelper.ConnOpen(); if (comm.ExecuteNonQuery() > 0) { MessageBox.Show("注册成功!", "系统提示"); } else MessageBox.Show("注册失败!", "系统提示"); DBHelper.ConnClose(); } #endregion #region 参数形式第二步,将参数加入到数组中,一次全部添加 /// <summary> /// 采用参数形式执行命令 /// </summary> /// <param name="strName"></param> /// <param name="strUserName"></param> /// <param name="strPwd"></param> /// <param name="strDesc"></param> private void InsertDataForParameterRange(string strName, string strUserName, string strPwd, string strDesc) { string strSql = "insert into [User]([Name],UserName,Password,TypeID,[Desc]) "; strSql += " values(@Name,@UserName,@Password,1,@Desc)"; SqlParameter[] param = { new SqlParameter("@Name", SqlDbType.VarChar, 16) , new SqlParameter("@UserName", SqlDbType.VarChar, 16), new SqlParameter("@Password", SqlDbType.VarChar, 64), new SqlParameter("@Desc", SqlDbType.VarChar, 256) }; param[0].Value = strName; param[1].Value = strUserName; param[2].Value = strPwd; param[3].Value = strDesc; SqlCommand comm = new SqlCommand(strSql, DBHelper.Conn); //将参数数组一次追加 comm.Parameters.AddRange(param); DBHelper.ConnOpen(); if (comm.ExecuteNonQuery() > 0) { MessageBox.Show("注册成功!", "系统提示"); } else MessageBox.Show("注册失败!", "系统提示"); DBHelper.ConnClose(); } #endregion #region 参数形式,调用DbHelper类中的方法,传入语句和参数即可 private void IsertDataForDbHelper(string strName, string strUserName, string strPwd, string strDesc) { string strSql = "insert into [User]([Name],UserName,Password,TypeID,[Desc]) "; strSql += " values(@Name,@UserName,@Password,1,@Desc)"; SqlParameter[] param = { new SqlParameter("@Name", SqlDbType.VarChar, 16) , new SqlParameter("@UserName", SqlDbType.VarChar, 16), new SqlParameter("@Password", SqlDbType.VarChar, 64), new SqlParameter("@Desc", SqlDbType.VarChar, 256) }; param[0].Value = strName; param[1].Value = strUserName; param[2].Value = strPwd; param[3].Value = strDesc; //调用DBHelper中的方法 if (DBHelper.ExecuteNonQuery(strSql, param) > 0) { MessageBox.Show("注册成功!", "系统提示"); } else MessageBox.Show("注册失败!", "系统提示"); } #endregion #region 数据验证 /// <summary> /// 注册前的数据验证 /// </summary> /// <returns></returns> private bool Check() { string strName = txtName.Text.Trim(); if (string.IsNullOrEmpty(strName))//strName == "")// { MessageBox.Show("用户姓名不能为空!", "系统提示"); return false; } string strUserName = txtUserName.Text.Trim(); if (string.IsNullOrEmpty(strUserName))//strName == "")// { MessageBox.Show("用户名不能为空!", "系统提示"); return false; } string strPwd = txtPwd.Text; if (string.IsNullOrEmpty(strPwd))//strName == "")// { MessageBox.Show("用户密码不能为空!", "系统提示"); return false; } string strRePwd = txtRePwd.Text; if (strRePwd != strPwd) { MessageBox.Show("密码不一致!", "系统提示"); return false; } return true; } #endregion #region 加密 /// <summary> /// 加密密码 /// </summary> /// <param name="strPwd">密码</param> /// <returns></returns> private string PwdForMD5(string strPwd) { //定义一个MD5加密的类的对象 MD5CryptoServiceProvider md5 = new MD5CryptoServiceProvider(); //将密码转换成UTF8格式的字节数组 byte[] bytes = Encoding.UTF8.GetBytes(strPwd); //加密 bytes= md5.ComputeHash(bytes); //将字节数组转换成字符串 return BitConverter.ToString(bytes); } #endregion } }