我正在使用ASP.NET 4.0和SQL Server 2008开发一个网站。在登录页面中,我必须检查用户供应商ID,并根据供应商ID将页面重定向到不同的页面。一切正常但我不喜欢我不知道如何检查管理员何时输入他的VendorID和密码,以便管理页面重定向。他的供应商ID和密码也与其他用户存储在同一个表“User_Info”中。请注意以下代码,它总是被重定向到管理页面只是因为我直接在代码中提供了他的vendorID和密码。请提出你的建议来克服这个问题。
protected void BtnHomeUserSubmit_Click(object sender, EventArgs e)
{
SqlConnection SqlCon = new SqlConnection(GetConnectionString());
try
{
var da1 = new SqlDataAdapter("select * from User_Info where Vendor_ID='" + txtHomeUsername.Text.Trim() + "' AND User_Password='" + txtHomePassword.Text.Trim() + "'", SqlCon);
var dt1 = new DataTable();
da1.Fill(dt1);
if (dt1.Rows.Count == 0)
{
ScriptManager.RegisterStartupScript(this, this.GetType(), "Alert", "alert('Enter valid Vendor ID and Password');", true);
}
else
{
var da = new SqlDataAdapter("select * from User_Info where Vendor_ID='Admin' AND User_Password='123456'", SqlCon);
var dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
Response.Redirect("~/AdminCompanyInfo.aspx");
}
var da2 = new SqlDataAdapter("select * from Company_Info where Vendor_ID='" + txtHomeUsername.Text.Trim() + "' AND Approval_Status='NO' OR Approval_Status='PEN'", SqlCon);
var dt2 = new DataTable();
da2.Fill(dt2);
if (dt2.Rows.Count > 0)
{
string url = "../ApprovalStatus2.aspx?Parameter=" + Server.UrlEncode(txtHomeUsername.Text);
ClientScript.RegisterStartupScript(this.GetType(), "callfunction", "alert('Your Vendor ID is waiting for Approval');window.location.href = '" + url + "';", true);
}
var da3 = new SqlDataAdapter("select Vendor_ID from RegPage1 where Vendor_ID='" + txtHomeUsername.Text.Trim() + "'", SqlCon);
var dt3 = new DataTable();
da3.Fill(dt3);
if (dt3.Rows.Count > 0)
{
string url = "../UserLogin.aspx";
ClientScript.RegisterStartupScript(this.GetType(), "callfunction", "alert('Your Vendor ID already completed the registration');window.location.href = '" + url + "';", true);
}
else
{
Response.Redirect("~/RegPage1.aspx?Parameter=" + Server.UrlEncode(txtHomeUsername.Text));
}
}
}
finally
{
SqlCon.Close();
}
}
答案 0 :(得分:1)
试试这个.. 构建体系结构时,请考虑此访问数据库是代码中最昂贵的访问。并且更喜欢使用SqlCommand(参数化值)。
var da1 = new SqlDataAdapter("select * from User_Info where Vendor_ID='" + txtHomeUsername.Text.Trim() + "' AND User_Password='" + txtHomePassword.Text.Trim() + "'", SqlCon);
var dt1 = new DataTable();
da1.Fill(dt1);
if (dt1.Rows.Count == 0)
{
ScriptManager.RegisterStartupScript(this, this.GetType(), "Alert", "alert('Enter valid Vendor ID and Password');", true);
}
else
{
switch(dt.Rows[0]["Vendor_ID"].ToString())
{
case "Admin": Response.Redirect("~/AdminCompanyInfo.aspx"); break;
//other oprtions goes here...
}
var da2 = new SqlDataAdapter("select * from Company_Info where Vendor_ID='" + txtHomeUsername.Text.Trim() + "' AND Approval_Status='NO' OR Approval_Status='PEN'", SqlCon);
var dt2 = new DataTable();
da2.Fill(dt2);
if (dt2.Rows.Count > 0)
{
string url = "../ApprovalStatus2.aspx?Parameter=" + Server.UrlEncode(txtHomeUsername.Text);
ClientScript.RegisterStartupScript(this.GetType(), "callfunction", "alert('Your Vendor ID is waiting for Approval');window.location.href = '" + url + "';", true);
}
var da3 = new SqlDataAdapter("select Vendor_ID from RegPage1 where Vendor_ID='" + txtHomeUsername.Text.Trim() + "'", SqlCon);
var dt3 = new DataTable();
da3.Fill(dt3);
if (dt3.Rows.Count > 0)
{
string url = "../UserLogin.aspx";
ClientScript.RegisterStartupScript(this.GetType(), "callfunction", "alert('Your Vendor ID already completed the registration');window.location.href = '" + url + "';", true);
}
else
{
Response.Redirect("~/RegPage1.aspx?Parameter=" + Server.UrlEncode(txtHomeUsername.Text));
}
}
答案 1 :(得分:0)
虽然给出的示例是有用的,但SQL注入是一个很大的问题。你应该使用参数化查询。
http://blogs.msdn.com/b/sqlphp/archive/2008/09/30/how-and-why-to-use-parameterized-queries.aspx