因此,我有一个注册表单,其中有一个文本字段供用户输入用户名。用户每次单击提交按钮,以便在数据库中检查用户名,如果存在,则显示错误。
如何避免使用服务器端,而是使用客户端来执行相同的过程。
到目前为止,我在服务器端的代码是:
`
protected void btnRegister_Click(object sender, EventArgs e){
// Creating Connection.
SqlConnection con5 = new SqlConnection(_conString);
SqlConnection con2 = new SqlConnection(_conString);
// Creating Command.
SqlCommand cmd5 = new SqlCommand();
SqlCommand cmd2 = new SqlCommand();
cmd5.CommandType = CommandType.Text;
cmd2.CommandType = CommandType.Text;
cmd5.Connection = con5;
cmd2.Connection = con2;
//creating a parameterized query for the Username and nic
cmd5.Parameters.AddWithValue("@uname", txtuname.Text.Trim());
cmd2.Parameters.AddWithValue("@national", txtnic.Text.Trim());
//search for username from tbl_organizer and tbl donor
cmd5.CommandText = "SELECT tbl_donor.don_uname FROM tbl_organizer,tbl_donor,tbl_admin WHERE (tbl_donor.don_uname =@uname) or tbl_organizer.org_uname =@uname or tbl_admin.adm_uname =@uname";
cmd2.CommandText = "select * from tbl_organizer where org_nic=@national";
//Creating DataReader to read from database.
SqlDataReader dr;
SqlDataReader dr2;
con5.Open();
con2.Open();
dr = cmd5.ExecuteReader();
dr2 = cmd2.ExecuteReader();
//Checking if username already exists in the DB.
if (dr.HasRows)
{
lblErrMsg.Text = "Username Already Exist, Please Choose Another";
lblErrMsg.ForeColor = System.Drawing.Color.Red;
lblErrMsg.BackColor = System.Drawing.Color.White;
txtuname.Focus();
}
else{
// we continue to insert.
}
}
`
在客户端拥有用户名并不是一个可行的解决方案,而且它还存在安全漏洞。您本质上是在泄漏数据并可能导致枚举攻击。您可能可以在文本更改上添加一个服务器事件,如下所示,该事件将在制表符退出(模糊)时调用。这可以检查用户名是否存在。
ASPX:
<asp:TextBox ID="txtuname" runat="server" AutoPostBack="true" OnTextChanged="txtuname_TextChanged" />
背后代码:
protected void txtuname_TextChanged(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection(_conString);
SqlCommand cmd = new SqlCommand();
cmd.CommandType = CommandType.Text;
cmd.Parameters.AddWithValue("@uname", txtuname.Text.Trim());
cmd.CommandText = "SELECT tbl_donor.don_uname FROM tbl_organizer,tbl_donor,tbl_admin WHERE (tbl_donor.don_uname =@uname) or tbl_organizer.org_uname =@uname or tbl_admin.adm_uname =@uname";
SqlDataReader dr;
con.Open();
dr = cmd.ExecuteReader();
if (dr.HasRows)
{
lblErrMsg.Text = "Username Already Exist, Please Choose Another";
lblErrMsg.ForeColor = System.Drawing.Color.Red;
lblErrMsg.BackColor = System.Drawing.Color.White;
txtuname.Focus();
}
}
由于可能的枚举攻击,我们甚至在工作中从我们的网站上删除了此功能,尽管它对可用性有负面影响。所以思考并实施同样的方法。