Security Anti-Black Asp. Net code

I remember when I heard people say that the Administrator Login check in ASP. NET is all about using the stored procedure, so it won't create a universal password or "--" so that the user can log on to the background. At that time, it was easy to hear about it. I didn't care much about it. I found it so easy to do it myself.

Look at a piece of code I wrote:

Protected void btnLogin_Click (object sender, EventArgs e)
{
# Region
If (tbUserName. Text = "" | tbPassWord. Text = "")
Response. Write ("<script> alert (the user name or password cannot be blank); </script> ");
Else
{
String ConnectionString = System. Configuration. ConfigurationSettings. etettings ["OraConnString"];
String strSql = string. Format ("select * from manager where UserName = {0} and PassWord = {1}", tbUserName. Text, tbPassWord. Text );
Using (OracleConnection conn = new OracleConnection (ConnectionString ))
{
Conn. Open ();

Using (OracleCommand cmd = new OracleCommand (strSql, conn ))
{
Try
{
OracleDataReader check = cmd. ExecuteReader ();
If (check. HasRows)
{
Check. Read ();
Session ["UserCheck"] = tbUserName. Text. Trim ();
If (Convert. ToInt16 (check ["admin

State "]. ToString () = 1)
Session ["admin"] = "OK ";
Response. Redirect ("ShowWork. aspx ");
}
Else
{
LbState. Text = "incorrect user name or password! ";
}
}
Catch (System. Exception)
{
Response. Write ("<script> alert (the server encountered an unknown error. Please confirm that your user name and password are correct !); </Script> ");
}
}
}
}
# Endregion
}

I simply did not use statements to judge whether the query statement is true or false. If you want to make a mistake, you can't do it. The criterion is whether the query statement can bring back the result set record. Haha.

Add an exception and throw it all. It's useless for you to try it!