将用户限制为10个错误的PIN码尝试Web Api#

时间:2017-08-30 15:05:11

标签: c# sql sql-server asp.net-web-api

我一直在研究一个接受某个电话号码并返回密码的简单网络API。我的想法是,如果密码错误10次,我想删除/限制用户登录。可以在SQL Server或c#代码中完成吗? 感谢所有帮助

在业务层验证:

    public void validate(validateRequest vReq, headers head, ref validateResponse vRes)
    {
        vRes = new validateResponse();
        int isCorrect = vRes.isCorrect;

        Data dal = new Data();
        dal.OpenConnection();
        dal.valpinCode(vReq.pinCode, ref isCorrect);
        if (isCorrect == 1)
        {
            vRes.result.code = 0;
            vRes.result.message = "Successful";
            vRes.isCorrect = 0;
        }
        else
        {
            vRes.result.code = -3;
            vRes.result.message = "Access Denied.";
            vRes.isCorrect = -1;
        }

我的数据层中的valpincode:

 public void valpinCode(string pinCode, ref int isCorrect)
    {
        try
        {
            using (IDbConnection db = new SqlConnection(c.connstr))
            {
                if (db.State != ConnectionState.Open)
                    db.Open();

                DynamicParameters param = new DynamicParameters();

                param.Add("@pincode", pinCode);

                param.Add("@exist", dbType: DbType.Int32, direction: ParameterDirection.Output);

                con.Execute("valpin", param, commandType: CommandType.StoredProcedure);

                isCorrect = param.Get<Int32>("@exist");

                if (db.State != ConnectionState.Closed)
                    db.Close();
            }
        }
        catch (Exception ex)
        {
           Common log = new Common();
            log.LogError(ex);
        }
    }

我的valpin SP:

    @pincode nvarchar(50),
@exist bit output
AS
 BEGIN
    IF NOT EXISTS(
    SELECT *
    FROM Users
    WHERE pinCode=@pincode)
BEGIN
    SET @exist=0
END
ELSE
BEGIN 
    SELECT *
    FROM Users
    WHERE pinCode=@pincode
    SET @exist=1
END
END

用户表:

idUser  phone   countrycode   pincode  
1      7006100      961        5716
12     7006107      961        77709

请注意,密码是随机生成的

1 个答案:

答案 0 :(得分:0)

执行此脚本只需添加一列,并为所有用户将其值设置为零

alter table users
add invalidAttempts int null
;
update users
set invalidAttempts =0
select * from users

此过程验证用户是否不存在(-1),如果用户被阻止(-2),如果密码错误(-3)和用户,则验证是否为(0)

任何无效尝试都存储在新字段/列中。如果它的数量达到10,则用户被阻止。您需要建立另一种方法来解锁它。如果未阻止用户,则有效登录将重置无效尝试。

ALTER PROCEDURE valpin @idUser INT, @pincode NVARCHAR(50)
AS
BEGIN
  DECLARE @pin VARCHAR(50)
  DECLARE @invalidAtempts INT

  SELECT @pin = pincode, @invalidAtempts = invalidAttempts
  FROM Users
  WHERE idUser = @idUser

  IF @invalidAtempts IS NULL
    RETURN - 1 --User does not exists
END

IF @invalidAtempts >= 10
  RETURN - 2 --blocked

IF @pin = @pincode
BEGIN
  UPDATE users
  SET invalidAttempts = 0
  WHERE idUser = @idUser

  RETURN 0 -- OK
END
ELSE
BEGIN
  UPDATE users
  SET invalidAttempts = invalidAttempts + 1
  WHERE idUser = @idUser

  RETURN - 3 -- wrong ping
END

您需要修改C#代码以反映此行为。另外,使用返回值ParameterDirection.ReturnValue;

而不是使用输出参数