2014-09-30 94 views
0

我試圖在我的應用程序中實現一些安全性。我有一個名爲USER_AUTHORIZATION的表,其中包含要使用應用程序的用戶的ID的有效單一標記列表。格式爲COMPANYNAME \ 111222333,並存儲在名爲UNAME的字段中。我試圖在訪問應用程序時執行檢查,看看是否當前登錄用戶位於有效用戶表中。如果他們的SSO不在表格中,我想顯示一條錯誤消息。通過SQL進行用戶認證表

查看

@model IEnumerable<BillingApp.Models.HOLIDAY_DATE_TABLE> 
@using System.Data; 
@using System.Data.SqlClient; 
@{ 
ViewBag.Title = "Table 8: Holiday Date Table"; 
Layout = "../Shared/Layout2.cshtml"; 
var whoareyoupeople = @User.Identity.Name; 
DateTime date = DateTime.Now; 
string myerrorstring = "User " + whoareyoupeople + " attempted unauthorized access on " + date + "."; 

string connStringswag = "Data Source=SWDB10DSQL;Initial Catalog=BillingUI;Integrated  Security=True;MultipleActiveResultSets=True;Application Name=EntityFramework"; 
using (SqlConnection _connyswagyolo = new SqlConnection(connStringswag)) 
{ 
    _connyswagyolo.Open(); 
    string checkauth = "SELECT COUNT(*) FROM USER_AUTHORIZATION WHERE UNAME == " + whoareyoupeople + ")"; 
    SqlCommand Command223 = new SqlCommand(checkauth, _connyswagyolo); 
    Command223.ExecuteNonQuery(); 
    _connyswagyolo.Close(); 
} 

@section featured2 { 
@if (whoareyoupeople not found in table){ 
    <center><h2 style="color:red">Access Denied for user @User.Identity.Name. You are not authorized to view this application.</h2></center> 
    string fileName = "C:\\BillingExport\\SECURITY\\seclog.txt"; 
    using (FileStream fs = new FileStream(fileName, FileMode.Append, FileAccess.Write)){ 
    using (StreamWriter sw = new StreamWriter(fs)) 
    { 
     sw.WriteLine(myerrorstring); 
    } 
} 
} 
else{ 
    //actual content to be displayed (table information) goes here 

我的兩個最大的問題是,我怎麼形成的if語句來檢查查詢的結果?此外,我收到錯誤「CS1513:}預計」。

您會注意到以下代碼段在使用sqlconnection行時有一個缺失的結束語breacket。這是因爲無論出於何種原因,第一個右括號總是被visual studio 2012認爲是代碼塊的末尾(即@ {})。

更新:我感動的代碼到我的控制器

public ActionResult HolidayDateTable() 
    { 
     var whoareyoupeople = User.Identity.Name; 
     DateTime date = DateTime.Now; 
     string myerrorstring = "User " + whoareyoupeople + " attempted unauthorized access on " + date + "."; 

     string connStringswag = "Data Source=SWDB10DSQL;Initial Catalog=BillingUI;Integrated Security=True;MultipleActiveResultSets=True;Application Name=EntityFramework"; 
     using (SqlConnection _connyswagyolo = new SqlConnection(connStringswag)) 
     { 
      _connyswagyolo.Open(); 
      string checkauth = "SELECT COUNT(*) FROM USER_AUTHORIZATION WHERE UNAME == " + whoareyoupeople + ")"; 
      SqlCommand Command223 = new SqlCommand(checkauth, _connyswagyolo); 
      int count = (int)Command223.ExecuteScalar(); 
      _connyswagyolo.Close(); 

      if (count == 0) 
      { 
       return RedirectToAction("AccessDenied"); 
      } 
      else 
      { 
       return View(db.HOLIDAY_DATE_TABLE); 
      } 
     } 
    } 

目前收到錯誤 「附近有語法錯誤 '='。」 指向行int count =(int)Command223.ExecuteScalar();

更新2:我與我的代碼發揮各地,但無論我做什麼,提出的解決 詮釋計數=(INT)Command223.ExecuteScalar(); 似乎不起作用。以下是我更新的控制器代碼。

public ActionResult HolidayDateTable() 
    { 
     var whoareyoupeople = User.Identity.Name; 
     DateTime date = DateTime.Now; 
     string myerrorstring = "User " + whoareyoupeople + " attempted unauthorized access on " + date + "."; 
     string query = "SELECT COUNT(*) FROM USER_AUTHORIZATION WHERE UNAME == " + whoareyoupeople + ")"; 
     SqlConnection conn = new SqlConnection("Data Source=SWDB10DSQL;Initial Catalog=BillingUI;Integrated Security=True;MultipleActiveResultSets=True;Application Name=EntityFramework"); 
     conn.Open(); 
     SqlCommand cmd = conn.CreateCommand(); 
     { 
      cmd.CommandText = string.Format("SELECT COUNT(*) FROM USER_AUTHORIZATION WHERE UNAME == " + whoareyoupeople + ")"); 
      int count = (int)cmd.ExecuteScalar(); 

      if (count == 0) 
      { 
       return RedirectToAction("AccessDenied"); 
      } 
      else 
      { 
       return View(db.HOLIDAY_DATE_TABLE); 
      } 
     } 
     }   

更新3:的問題是我的查詢字符串,而不是C#代碼。我不得不刪除等號。現在我遇到的問題是

Incorrect syntax near '\601011308'. 

指向int count =(int)cmd.ExecuteScalar();

這是表UNAME字段中值的部分條目。它的前面缺少COMPANYNAME(即:COMPANYNAME \ 601011308)。我認爲count應該返回SSO與數據庫匹配的數量(即;如果登錄的用戶SSO爲601011308,並且該表存儲的應用程序是有效的用戶,count應該返回1) 。

最新的控制器代碼,這是我在更新3上述問題:

public ActionResult HolidayDateTable() 
    { 
     var whoareyoupeople = User.Identity.Name; 
     DateTime date = DateTime.Now; 
     string myerrorstring = "User " + whoareyoupeople + " attempted unauthorized access on " + date + "."; 
     SqlConnection conn = new SqlConnection("Data Source=SWDB10DSQL;Initial Catalog=BillingUI;Integrated Security=True;MultipleActiveResultSets=True;Application Name=EntityFramework"); 
     conn.Open(); 
     SqlCommand cmd = conn.CreateCommand(); 
     { 
      cmd.CommandText = string.Format("SELECT COUNT(*) FROM AUTHORIZED_USERS WHERE UNAME = " + whoareyoupeople + ")"); 
      int count = (int)cmd.ExecuteScalar(); 

      if (count == 0) 
      { 
       return RedirectToAction("AccessDenied"); 
      } 
      else 
      { 
       return View(db.HOLIDAY_DATE_TABLE); 
      } 
     } 
     }    
+1

不要從視圖中調用數據庫,請在控制器中執行此操作。你的觀點不應該有複雜的邏輯。 – DLeh 2014-09-30 18:18:56

+0

您是否使用ASP.NET MVC?如果是這樣,那麼這個邏輯不屬於你的觀點。它屬於控制器,可能位於動作過濾器中。 – 2014-09-30 18:19:06

+0

你想從頭開始構建它,而不是依賴內置的東西? http://msdn.microsoft。com/en-us/library/vstudio/eeyk640h(v = vs.100).aspx – Pleun 2014-09-30 18:22:46

回答

0

相反的ExecuteNonQuery(),使用ExecuteScalar()因爲Count()自然會返回一個整數。

int count = (int)cmd.ExecuteScalar();實際上是我昨天剛剛實施的。然後你只需在你的else/if聲明中使用count。

+0

感謝,請參閱上述更新 – Dave 2014-09-30 18:46:27

+0

爲什麼使用_作爲您的連接? – JoeManiaci 2014-09-30 19:25:35

相關問題