登录后如何根据用户角色将用户重定向到其他首页?

时间:2018-09-12 14:30:38

标签: c# sql-server authentication login

我创建了一个名为[reg]的数据库表,该表存储着包括角色在内的用户详细信息。该表中有一列称为角色,这是父母和老师这两个角色。所以我想根据他们的角色将他们重定向到不同的主页。我怎样才能做到这一点??请帮助。

这是我的login.cs代码,如下所示:

public partial class Login : System.Web.UI.Page
{
    SqlConnection con = new SqlConnection();

    protected void Page_Load(object sender, EventArgs e)
    {

    }

    protected void ButtonLogin_Click1(object sender, EventArgs e)
    {
        con.ConnectionString = "Data Source=DESKTOP-H7KQUT1;Initial Catalog=Registration;Integrated Security=True";
        con.Open();
        string checkuser = "select count(*) from [reg] where Username = '" + TextBoxUser.Text + "'";
        SqlCommand cmd = new SqlCommand(checkuser, con);
        int temp = Convert.ToInt32(cmd.ExecuteScalar().ToString());
        if (temp == 1)
        {
            string checkPasswordQuery = "select Pass from [reg] where Username= '" + TextBoxUser.Text + "'";
            SqlCommand passCom = new SqlCommand(checkPasswordQuery, con);
            string password = passCom.ExecuteScalar().ToString().Replace(" ","");
            if (password == TextBoxPass.Text)
            {
                Session["New"] = TextBoxUser.Text;
                Session["Username"] = TextBoxUser.Text;
                MessageBox.Show("Password is correct");
                Response.Redirect("HomeTeacher.aspx");

            }
            else
            {
                MessageBox.Show("Password is not correct");
            }
        }
        else
        {
            MessageBox.Show("Username is not correct");
        }

        con.Close();
    }
}

2 个答案:

答案 0 :(得分:1)

这里有很多东西,所以我添加了很多评论来解释这些变化。

protected void ButtonLogin_Click1(object sender, EventArgs e)
{
    //Don't re-use the connection object. 
    // ADO.Net has a feature called connection pooling, and re-using the 
    // connection object interferes with it.
    // This is the rare case where you really do want to create
    // a new instance almost every time

    string checkuser = "select Role, Salt, PwdHash from [reg] where Username = @Username";
    string role = "", goodHash = "", salt = "";

    //The using blocks will make sure the connection is closed, 
    // **even if an exception is thrown**.
    using (var con = new SqlConnection("Data Source=DESKTOP-H7KQUT1;Initial Catalog=Registration;Integrated Security=True"))
    using (var cmd = new SqlCommand(checkuser, con))
    { 
        //**ALWAYS** use parameters like this to include data in the query that
        // has any chance to be influenced in any way by the user
        cmd.Parameters.Add("@Username",SqlDbType.NVarChar, 50).Value = TextBoxUser.Text;

        con.Open();
        using (var rdr = cmd.ExecuteReader())
        {
            if (!rdr.Read()) // no record for this user
            {
                //Common practice is to NOT make it obvious whether the username or password was wrong,
               // though there is debate in security circles whether that's really necessary.
               //Also, **DON'T USE MESSAGEBOX IN WEB APPS!**
               // It doesn't work at all the way you think. 
               Response.Redirect("InvalidLogin.aspx");
               return;
           }

           //For convenience, I'll assume nothing is NULL if we actually have a record
           //Done right, the salt and password are often byte arrays, but base64 strings are common, too.
           salt = (string)rdr["Salt"]; 
           goodHash = (string)rdr["PwdHash"];
           role = (string)rdr["Role"];
        }
    }

    //You'll need to write this function on your own,
    // but there are libraries on NuGet that make it easy
    var attemptedHash = GetBCryptHash(salt, TextBoxPass.Text);
    if (attemptedHash != goodHash)
    {
        Response.Redirect("InvalidLogin.aspx");
        return;
    }

    Session["New"] = TextBoxUser.Text;
    Session["Username"] = TextBoxUser.Text;
    Session["Role"] = role;

    if (role == "Teacher")
    {
        Response.Redirect("HomeTeacher.aspx");
    }
    else
    {
        Response.Redirect("HomeStudent.aspx");
    }
}

这里还是没有所有多余的注释:

protected void ButtonLogin_Click1(object sender, EventArgs e)
{
    string checkuser = "select Role, Salt, PwdHash from [reg] where Username = @Username";
    string role = "", goodHash = "", salt = "";

    using (var con = new SqlConnection("Data Source=DESKTOP-H7KQUT1;Initial Catalog=Registration;Integrated Security=True"))
    using (var cmd = new SqlCommand(checkuser, con))
    { 
        cmd.Parameters.Add("@Username",SqlDbType.NVarChar, 50).Value = TextBoxUser.Text;
        con.Open();
        using (var rdr = cmd.ExecuteReader())
        {
            if (!rdr.Read()) // no record for this user
            {
               Response.Redirect("InvalidLogin.aspx");
               return;
            }

            salt = (string)rdr["Salt"]; 
            goodHash = (string)rdr["PwdHash"];
            role = (string)rdr["Role"];
        }
    }

    // You still need to write this function, and you'll still want to rely on nuget
    var attemptedHash = GetBCryptHash(salt, TextBoxPass.Text);
    if (attemptedHash != goodHash)
    {
        Response.Redirect("InvalidLogin.aspx");
        return;
    }

    Session["New"] = TextBoxUser.Text;
    Session["Username"] = TextBoxUser.Text;
    Session["Role"] = role;

    if (role == "Teacher")
    {
        Response.Redirect("HomeTeacher.aspx");
    }
    else
    {
        Response.Redirect("HomeStudent.aspx");
    }
}

答案 1 :(得分:0)

如果要根据用户角色重定向用户,这很简单:

string getUserRole = "SELECT Role from [reg] where Username= @User";
Using;
    SqlCommand sqlCmd = new SqlCommand(sql, con);
    sqlCmd.Parameters.Add("@User", SqlDbType.String).Value = TextBoxUser.Text;
    String userRole = roleCmd.ExecuteScalar().ToString().Replace(" ","");
End Using;
con.Close();
if userRole = your_user_role
    //redirect 1
else
   // redirect 2

我建议您看看:

sqlCmd.Parameters.Add("@User", SqlDbType.String).Value = TextBoxUser.Text;

始终使用参数非常容易。

以这一行为例,在需要从用户输入中获取数据的每个查询中添加参数。

相关问题
最新问题