1. 首頁
  2. 問答
  3. 如何檢查用戶是否是「管理員」

如何檢查用戶是否是「管理員」

2012-08-12 70 views
0

我正在開發使用ASP.NET 4.0和SQL Server 2008的網站。在Login Page中,我必須檢查用戶供應商ID並根據供應商ID重定向頁面到不同的頁面。一切正常,但我不知道如何檢查管理員何時輸入VendorID和密碼,以便管理頁面重定向。他的供應商ID和密碼也與其他用戶存儲在同一個表「User_Info」中。請參閱下面的代碼,它總是重定向到管理頁面,因爲我直接在代碼中提供了他的vendorID和密碼。請給出您的建議來解決此問題。如何檢查用戶是否是「管理員」

protected void BtnHomeUserSubmit_Click(object sender, EventArgs e) 
    { 
     SqlConnection SqlCon = new SqlConnection(GetConnectionString()); 
     try 
     {   
     var da1 = new SqlDataAdapter("select * from User_Info where Vendor_ID='" + txtHomeUsername.Text.Trim() + "' AND User_Password='" + txtHomePassword.Text.Trim() + "'", SqlCon); 
      var dt1 = new DataTable(); 
      da1.Fill(dt1); 
      if (dt1.Rows.Count == 0) 
      { 
      ScriptManager.RegisterStartupScript(this, this.GetType(), "Alert", "alert('Enter valid Vendor ID and Password');", true); 
      } 
      else 
      { 
      var da = new SqlDataAdapter("select * from User_Info where Vendor_ID='Admin' AND User_Password='123456'", SqlCon); 
       var dt = new DataTable(); 
       da.Fill(dt); 
       if (dt.Rows.Count > 0) 
       { 
       Response.Redirect("~/AdminCompanyInfo.aspx"); 
       } 
       var da2 = new SqlDataAdapter("select * from Company_Info where Vendor_ID='" + txtHomeUsername.Text.Trim() + "' AND Approval_Status='NO' OR        Approval_Status='PEN'", SqlCon); 
       var dt2 = new DataTable(); 
       da2.Fill(dt2); 
       if (dt2.Rows.Count > 0) 
       { 
       string url = "../ApprovalStatus2.aspx?Parameter=" + Server.UrlEncode(txtHomeUsername.Text); 
       ClientScript.RegisterStartupScript(this.GetType(), "callfunction", "alert('Your Vendor ID is waiting for Approval');window.location.href = '" +      url + "';", true); 
       } 
       var da3 = new SqlDataAdapter("select Vendor_ID from RegPage1 where Vendor_ID='" + txtHomeUsername.Text.Trim() + "'", SqlCon); 
       var dt3 = new DataTable(); 
       da3.Fill(dt3); 
       if (dt3.Rows.Count > 0) 
       { 
        string url = "../UserLogin.aspx"; 
        ClientScript.RegisterStartupScript(this.GetType(), "callfunction", "alert('Your Vendor ID already completed the registration');window.location.href = '" + url + "';", true); 
       } 
       else 
       { 
       Response.Redirect("~/RegPage1.aspx?Parameter=" + Server.UrlEncode(txtHomeUsername.Text)); 
       } 
      } 
     } 
     finally 
     { 
      SqlCon.Close(); 
     } 
    }

來源

2012-08-12 Hari

+2

約在某個時候「SQL注入」讀... – 2012-08-12 10:11:48

回答

1

試試這個.. 當你建立一個架構考慮這個訪問數據庫是代碼最昂貴的訪問。而且更喜歡使用SqlCommand(參數化值)。

var da1 = new SqlDataAdapter("select * from User_Info where Vendor_ID='" + txtHomeUsername.Text.Trim() + "' AND User_Password='" + txtHomePassword.Text.Trim() + "'", SqlCon); 
      var dt1 = new DataTable(); 
      da1.Fill(dt1); 
      if (dt1.Rows.Count == 0) 
      { 
      ScriptManager.RegisterStartupScript(this, this.GetType(), "Alert", "alert('Enter valid Vendor ID and Password');", true); 
      } 
      else 
      { 

      switch(dt.Rows[0]["Vendor_ID"].ToString()) 
       { 
       case "Admin": Response.Redirect("~/AdminCompanyInfo.aspx"); break; 
       //other oprtions goes here... 
       } 
       var da2 = new SqlDataAdapter("select * from Company_Info where Vendor_ID='" + txtHomeUsername.Text.Trim() + "' AND Approval_Status='NO' OR        Approval_Status='PEN'", SqlCon); 
       var dt2 = new DataTable(); 
       da2.Fill(dt2); 
       if (dt2.Rows.Count > 0) 
       { 
       string url = "../ApprovalStatus2.aspx?Parameter=" + Server.UrlEncode(txtHomeUsername.Text); 
       ClientScript.RegisterStartupScript(this.GetType(), "callfunction", "alert('Your Vendor ID is waiting for Approval');window.location.href = '" +      url + "';", true); 
       } 
       var da3 = new SqlDataAdapter("select Vendor_ID from RegPage1 where Vendor_ID='" + txtHomeUsername.Text.Trim() + "'", SqlCon); 
       var dt3 = new DataTable(); 
       da3.Fill(dt3); 
       if (dt3.Rows.Count > 0) 
       { 
        string url = "../UserLogin.aspx"; 
        ClientScript.RegisterStartupScript(this.GetType(), "callfunction", "alert('Your Vendor ID already completed the registration');window.location.href = '" + url + "';", true); 
       } 
       else 
       { 
       Response.Redirect("~/RegPage1.aspx?Parameter=" + Server.UrlEncode(txtHomeUsername.Text)); 
       } 
      }

來源

2012-08-12 09:29:33 hkutluay

+0

感謝reply.Where我檢查管理員密碼? – Hari 2012-08-12 10:02:38

+0

您在'select * from User_Info Vendor_ID = ..'行查看用戶名和密碼。 – hkutluay 2012-08-12 11:08:44

相關問題

 相關問題