我试图在我的应用程序中实现一些安全性。我有一个名为USER_AUTHORIZATION的表,其中包含要使用该应用程序的ID的有效单点登录列表。格式为COMPANYNAME \ 111222333,存储在名为UNAME的字段中。我在访问应用程序时尝试执行检查,如果当前登录的用户位于有效用户表中,则查看该应用程序。如果他们的SSO不在表中,我想显示错误消息。
查看
@model IEnumerable<BillingApp.Models.HOLIDAY_DATE_TABLE>
@using System.Data;
@using System.Data.SqlClient;
@{
ViewBag.Title = "Table 8: Holiday Date Table";
Layout = "../Shared/Layout2.cshtml";
var whoareyoupeople = @User.Identity.Name;
DateTime date = DateTime.Now;
string myerrorstring = "User " + whoareyoupeople + " attempted unauthorized access on " + date + ".";
string connStringswag = "Data Source=SWDB10DSQL;Initial Catalog=BillingUI;Integrated Security=True;MultipleActiveResultSets=True;Application Name=EntityFramework";
using (SqlConnection _connyswagyolo = new SqlConnection(connStringswag))
{
_connyswagyolo.Open();
string checkauth = "SELECT COUNT(*) FROM USER_AUTHORIZATION WHERE UNAME == " + whoareyoupeople + ")";
SqlCommand Command223 = new SqlCommand(checkauth, _connyswagyolo);
Command223.ExecuteNonQuery();
_connyswagyolo.Close();
}
@section featured2 {
@if (whoareyoupeople not found in table){
<center><h2 style="color:red">Access Denied for user @User.Identity.Name. You are not authorized to view this application.</h2></center>
string fileName = "C:\\BillingExport\\SECURITY\\seclog.txt";
using (FileStream fs = new FileStream(fileName, FileMode.Append, FileAccess.Write)){
using (StreamWriter sw = new StreamWriter(fs))
{
sw.WriteLine(myerrorstring);
}
}
}
else{
//actual content to be displayed (table information) goes here
我最大的两个问题是,我如何形成if语句来检查查询结果?另外,我收到错误&#34; CS1513:}预期&#34;。
您会注意到以下代码段在使用sqlconnection行时缺少关闭错误。这是因为无论出于何种原因,第一个结束括号始终被visual studio 2012识别为代码块的末尾(即@ {})。
更新:我将代码移至我的控制器
public ActionResult HolidayDateTable()
{
var whoareyoupeople = User.Identity.Name;
DateTime date = DateTime.Now;
string myerrorstring = "User " + whoareyoupeople + " attempted unauthorized access on " + date + ".";
string connStringswag = "Data Source=SWDB10DSQL;Initial Catalog=BillingUI;Integrated Security=True;MultipleActiveResultSets=True;Application Name=EntityFramework";
using (SqlConnection _connyswagyolo = new SqlConnection(connStringswag))
{
_connyswagyolo.Open();
string checkauth = "SELECT COUNT(*) FROM USER_AUTHORIZATION WHERE UNAME == " + whoareyoupeople + ")";
SqlCommand Command223 = new SqlCommand(checkauth, _connyswagyolo);
int count = (int)Command223.ExecuteScalar();
_connyswagyolo.Close();
if (count == 0)
{
return RedirectToAction("AccessDenied");
}
else
{
return View(db.HOLIDAY_DATE_TABLE);
}
}
}
目前收到错误&#34;&#39; =&#39;附近的语法不正确。&#34; 指向行int count =(int)Command223.ExecuteScalar();
更新2:我玩过我的代码,但无论我做什么,建议的解决方案 int count =(int)Command223.ExecuteScalar(); 似乎不起作用。以下是我更新的控制器代码。
public ActionResult HolidayDateTable()
{
var whoareyoupeople = User.Identity.Name;
DateTime date = DateTime.Now;
string myerrorstring = "User " + whoareyoupeople + " attempted unauthorized access on " + date + ".";
string query = "SELECT COUNT(*) FROM USER_AUTHORIZATION WHERE UNAME == " + whoareyoupeople + ")";
SqlConnection conn = new SqlConnection("Data Source=SWDB10DSQL;Initial Catalog=BillingUI;Integrated Security=True;MultipleActiveResultSets=True;Application Name=EntityFramework");
conn.Open();
SqlCommand cmd = conn.CreateCommand();
{
cmd.CommandText = string.Format("SELECT COUNT(*) FROM USER_AUTHORIZATION WHERE UNAME == " + whoareyoupeople + ")");
int count = (int)cmd.ExecuteScalar();
if (count == 0)
{
return RedirectToAction("AccessDenied");
}
else
{
return View(db.HOLIDAY_DATE_TABLE);
}
}
}
更新3:问题在于我的查询字符串而不是C#代码。我不得不删除一个等号。现在我遇到的问题是
Incorrect syntax near '\601011308'.
指向int count =(int)cmd.ExecuteScalar();
这是表UNAME字段中值的部分输入。它在它面前缺少COMPANYNAME(即; COMPANYNAME \ 601011308)。我认为count应该返回SSO与数据库匹配的数量(即;如果登录用户SSO是601011308,并且这是存储在表中的应用程序的有效用户,则count应返回1) 。
我在Update 3中遇到上述问题的最新控制器代码:
public ActionResult HolidayDateTable()
{
var whoareyoupeople = User.Identity.Name;
DateTime date = DateTime.Now;
string myerrorstring = "User " + whoareyoupeople + " attempted unauthorized access on " + date + ".";
SqlConnection conn = new SqlConnection("Data Source=SWDB10DSQL;Initial Catalog=BillingUI;Integrated Security=True;MultipleActiveResultSets=True;Application Name=EntityFramework");
conn.Open();
SqlCommand cmd = conn.CreateCommand();
{
cmd.CommandText = string.Format("SELECT COUNT(*) FROM AUTHORIZED_USERS WHERE UNAME = " + whoareyoupeople + ")");
int count = (int)cmd.ExecuteScalar();
if (count == 0)
{
return RedirectToAction("AccessDenied");
}
else
{
return View(db.HOLIDAY_DATE_TABLE);
}
}
}
答案 0 :(得分:0)
使用ExecuteNonQuery()代替ExecuteScalar(),因为Count()自然会返回一个整数。
int count = (int)cmd.ExecuteScalar();实际上就是我昨天刚刚实施的内容。然后你只需在else/if语句中使用count。