Question

我需要检查C＃，如果用户具有数据库中的特定角色，并且在Windows窗体中我的登录代码是

 SqlCommand cmd = new SqlCommand("SELECT UserName,Password FROM EMP_Info WHERE UserName='" + txt_Username.Text + "' and Password='" + txt_password.Text + "'", sqlcon);

 SqlDataAdapter da = new SqlDataAdapter(cmd);
 DataTable dt = new DataTable();
 da.Fill(dt);

 if (dt.Rows.Count > 0)
 {
     Cursor.Current = Cursors.WaitCursor;
     // I need to make if here to check the role if the user is admin or not 
     // if admin do something 
     MessageBox.Show("Welcome " + txt_Username.Text);
 }
 else
 {
     MessageBox.Show("The Username or Password you entered is incorrect. Please try again");
     sqlcon.Close();
 }

我的数据库代码

create proc Check_role 
       @EMP_Role  varchar (10),
    as
    begin

        if (exists(select EMP_Role from EMP_Info where EMP_Role ='Admin' ))
            return 1
        else
            return 2
    end

所以我需要解决这个问题

Answer 1

为了避免SQL Inject Attack使用像这样的参数化查询......

SqlCommand cmd = new SqlCommand("SELECT [UserName] , [Password] FROM EMP_Info WHERE [UserName] = @UserName  and [Password] = @Password", sqlcon);

  cmd.Parameters.AddWithValue("@UserName" , txt_Username.Text);
  cmd.Parameters.AddWithValue("@Password" , txt_password.Text);
  //rest of the code

无论如何，我会创建一个程序来只调用一次数据库来验证用户登录。存储过程看起来像......

CREATE PROCEDURE Check_role 
  @UserName VARCHAR(100)
 ,@Password VARCHAR(100)
 ,@IsValid INT OUTPUT
AS
BEGIN
  SET NOCOUNT ON;

  DECLARE @Emp_Role       VARCHAR(10);
  DECLARE @UserName_check VARCHAR(10);
  DECLARE @PassWord_check VARCHAR(10);

  SELECT TOP 1 @Emp_Role       = EMP_Role 
              ,@UserName_check = [UserName]
              ,@PassWord_check = [Password]
  FROM EMP_Info
  WHERE [UserName] = @UserName
    AND [Password] = @Password

  IF ((@UserName_check = @UserName) AND (@PassWord_check = @Password))
    BEGIN
      SET @IsValid = 1;

          IF (@Emp_Role = 'Admin')
           BEGIN
             SET @IsValid = 2;
           END
    END
  ELSE
    BEGIN
      SET @IsValid = 0;
    END
END

C＃代码

using(SqlConnection Sqlcon = new SqlConnection(ConnectionString))
 { 
  SqlCommand cmd = new SqlCommand("dbo.Check_role", sqlcon);

    cmd.CommandType = CommandType.StoredProcedure;
    cmd.Parameters.AddWithValue("@UserName", txt_Username.Text);
    cmd.Parameters.AddWithValue("@Password", txt_password.Text);

    cmd.Parameters.Add("@IsValid", SqlDbType.Int);
    cmd.Parameters["@IsValid"].Direction = ParameterDirection.Output;
    con.Open();

    cmd.ExecuteNonQuery();

    string LoginStatus = cmd.Parameters["@IsValid"].Value.ToString();

     if (LoginStatus == 1 || LoginStatus == 2)
     {

          if(LoginStatus == 2)
          {
            // if a user is admin do stuff here
          }
          else
          {
           // if a user is NOT admin do stuff here
          }
         MessageBox.Show("Welcome " + txt_Username.Text);
     }
     else
     {
         MessageBox.Show("The Username or Password you entered is incorrect. Please try again");
     }
 }

检查存储过程参数以检查用户角色

1 个答案:

C＃代码