我在我的登录表单中以mvc 5创建了一个Web应用程序,我有2个文本框,一个按钮 和一个跨度,如果用户提供错误的信息,那么文本应该是可见的
<div style="margin-top:20px;">
<span>
<select style="width:275px; height:45px; font-size:15px; font-family:Verdana;" class="ddl">
<option>Select Your Role</option>
<option>Super Admin</option>
<option>Admin</option>
<option>Company</option>
<option>Unit</option>
<option selected="selected">Trainer</option>
<option>Employee</option>
<option>Partner Manager</option>
<option>Regional Partner Manager</option>
<option>Assistant Partner Manager</option>
<option>Zonal Partner Manager</option>
<option>LLT</option>
</select>
</span>
</div>
<div class="col-xs-offset-0" style="margin-top:15px;">
<span>
<input type="text" id="txtusrname" class="ddl txtbo" style="width:275px; height:45px; font-size:15px; font-family:Verdana;" placeholder="Username" />
</span>
</div>
<div class="col-xs-offset-0" style="margin-top:15px;">
<span>
<input type="text" class="ddl txtbo" id="txtpass" style="width:275px; height:45px; font-size:15px; font-family:Verdana;" placeholder="Password" />
</span>
</div>
<div class="imagediv" style="">
<input id="btnerp" type="button" class="btn btn-default btnspacererp" style="" width="200" height="34" value="Login" />
</div>
<div class="" style="margin-top:20px; Width:auto; Height:34px; margin-left:-20px;">
<span style="font-size:14px; visibility:hidden; font-family:Verdana; color:red;">Incorrect Login Credential!!!!</span>
</div>
我正在传递来自webservice的所有登录信息,如果用户提供的信息(下拉列表,用户名和密码)正确,我的网络服务将检查(下拉列表,用户名和密码)十,页面应该被重新引导到欢迎页面或否则它应该显示跨度消息
[WebMethod]
public string getlogintype(string role, string username, string password)
{
SqlConnection con = new SqlConnection("connectionstring");
List<object> login = new List<object>();
if (role == "Admin" || role == "Super Admin")
{
SqlCommand cmd = new SqlCommand("select * from [admin] where userid='" + username + "' and pass ='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
fals = null;
tru = "true";
//HttpContext.Current.Session["tru"] = tru.ToString();
// want to redirect to welcome page if condition satisfied.
}
else
{
tru = null;
fals = "false";
//want to show the label error message(declare as string errormsg)
}
con.Close();
}
else if (role == "Company")
{
SqlCommand cmd = new SqlCommand("select * from companydetails where comid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
tru = "true";
}
else
{
fals = "false";
}
con.Close();
}
else if (role == "Unit")
{
SqlCommand cmd = new SqlCommand("select * from companyallot where email='" + username + "' and password='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
tru = "true";
}
else
{
fals = "false";
}
con.Close();
}
else if (role == "Trainer")
{
SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
tru = "true";
}
else
{
fals = "false";
}
con.Close();
}
else if (role == "Employee")
{
SqlCommand cmd = new SqlCommand("select * from employee details where empid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
tru = "true";
}
else
{
fals = "false";
}
con.Close();
}
else if (role == "Partner Manager")
{
SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
SqlDataReader dr = cmd.ExecuteReader();
while (dr.Read())
{
strname = dr["empname"].ToString();
}
con.Close();
con.Open();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
SqlCommand cmdvalid = new SqlCommand("select comname from companydetails where pm='" + strname + "'", con);
SqlDataAdapter davalid = new SqlDataAdapter(cmdvalid);
DataSet ds = new DataSet();
davalid.Fill(ds);
if (ds.Tables[0].Rows.Count != 0)
{
tru = "true";
}
else
{
fals = "false";
}
}
con.Close();
}
else if (role == "Regional Partner Manager")
{
SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
SqlDataReader dr = cmd.ExecuteReader();
while (dr.Read())
{
strname = dr["empname"].ToString();
}
con.Close();
con.Open();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
SqlCommand cmdvalid = new SqlCommand("select trainer from rpmallot where trainer='" + strname + "'", con);
SqlDataAdapter davalid = new SqlDataAdapter(cmdvalid);
DataSet ds = new DataSet();
davalid.Fill(ds);
if (ds.Tables[0].Rows.Count != 0)
{
tru = "true";
}
else
{
fals = "false";
}
}
con.Close();
}
else if (role == "Assistant Partner Manager")
{
SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
SqlDataReader dr = cmd.ExecuteReader();
while (dr.Read())
{
strname = dr["empname"].ToString();
}
con.Close();
con.Open();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
SqlCommand cmdvalid = new SqlCommand("select apm from companydetails where apm='" + strname + "'", con);
SqlDataAdapter davalid = new SqlDataAdapter(cmdvalid);
DataSet ds = new DataSet();
davalid.Fill(ds);
if (ds.Tables[0].Rows.Count != 0)
{
tru = "true";
}
else
{
fals = "false";
}
}
con.Close();
}
else if (role == "Zonal Partner Manager")
{
SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
SqlDataReader dr = cmd.ExecuteReader();
while (dr.Read())
{
strname = dr["empname"].ToString();
}
con.Close();
con.Open();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
SqlCommand cmdvalid = new SqlCommand("select trainer from zonerpm where trainer='" + strname + "'", con);
SqlDataAdapter davalid = new SqlDataAdapter(cmdvalid);
DataSet ds = new DataSet();
davalid.Fill(ds);
if (ds.Tables[0].Rows.Count != 0)
{
tru = "true";
}
else
{
fals = "false";
}
}
con.Close();
}
else if (role == "LLT")
{
SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "' and type='" + role + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter();
DataTable dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
tru = "true";
}
else
{
fals = "false";
}
con.Close();
}
string finalreturn = "";
if(fals=="false")
{
finalreturn = fals.ToString();
}
else if(tru=="true")
{
finalreturn = tru.ToString();
}
return finalreturn.ToString();
}
}
如果用户信息为true,则此Web服务将返回true;如果提供的用户名,密码或角色为false,则返回false,然后信息将传递到操作结果页面,其中我有三个字符串(用户名,密码,角色) 我想在会话中获取所有登录信息,并将用户重定向到欢迎页面
public ActionResult Login(string role, string username, string password)
{
//required code
}
这是我的行动结果,我需要通过此处进行身份验证并将其重定向到欢迎页面
答案 0 :(得分:0)
虽然最重要的是,如果您的表单直接提交给您发布的方法,那么它对sql注入是开放的,这意味着即使在最基本的意义上,您的验证例程也不是非常安全。
答案 1 :(得分:0)
试试这个。需要使用Html.BeginForm提交表单,并且请求由action方法处理。从那里(action方法)调用getlogintype()。基于getlogintype()的返回值设置消息或字符串在ViewBag中传递它以使用ViewBag.Message进行查看。
@using (Html.BeginForm("Login", "ControllerName", FormMethod.Post ))
{
<div style="margin-top:20px;">
<span>
<select style="width:275px; height:45px; font-size:15px; font-family:Verdana;" class="ddl" name="roleSelect">
<option>Select Your Role</option>
<option>Super Admin</option>
<option>Admin</option>
<option>Company</option>
<option>Unit</option>
<option selected="selected">Trainer</option>
<option>Employee</option>
<option>Partner Manager</option>
<option>Regional Partner Manager</option>
<option>Assistant Partner Manager</option>
<option>Zonal Partner Manager</option>
<option>LLT</option>
</select>
</span>
</div>
<div class="col-xs-offset-0" style="margin-top:15px;">
<span>
<input type="text" id="txtusrname" class="ddl txtbo" name="txtusrname" style="width:275px; height:45px; font-size:15px; font-family:Verdana;" placeholder="Username" />
</span>
</div>
<div class="col-xs-offset-0" style="margin-top:15px;">
<span>
<input type="text" class="ddl txtbo" id="txtpass" name="txtpass" style="width:275px; height:45px; font-size:15px; font-family:Verdana;" placeholder="Password" />
</span>
</div>
<div class="imagediv" style="">
<input id="btnerp" type="button" class="btn btn-default btnspacererp" style="" width="200" height="34" value="Login" />
</div>
<div style="margin-top:20px; Width:auto; Height:34px; margin-left:-20px;">
<span style="font-size:14px;font-family:Verdana; color:red;">@ViewBag.Message</span>
</div>
}
控制器
public ActionResult Login()
{
return View();
}
[HttpPost]
public ActionResult Login(FormCollection form)
{
string role = form["roleSelect"];
string username = form["txtusrname"];
string password = form["txtpass"];
webservice.loginservice a= new webservice.loginservice()
string xyz = a.getlogintype(role, username, password);
if(xyz== "true")
{
return RedirectToAction("Welcome_ActionMethod", "Welcome_Controller");
}
else
{
ViewBag.Message = "Incorrect Login Credential!!!!";
return View();
}
}