1. 首页
  2. 问答
  3. 如何检查用户是否是“管理员”

如何检查用户是否是“管理员”

2012-08-12 124 views
0

我正在开发使用ASP.NET 4.0和SQL Server 2008的网站。在Login Page中,我必须检查用户供应商ID并根据供应商ID重定向页面到不同的页面。一切正常,但我不知道如何检查管理员何时输入VendorID和密码,以便管理页面重定向。他的供应商ID和密码也与其他用户存储在同一个表“User_Info”中。请参阅下面的代码,它总是重定向到管理页面,因为我直接在代码中提供了他的vendorID和密码。请给出您的建议来解决此问题。如何检查用户是否是“管理员”

protected void BtnHomeUserSubmit_Click(object sender, EventArgs e) 
    { 
     SqlConnection SqlCon = new SqlConnection(GetConnectionString()); 
     try 
     {   
     var da1 = new SqlDataAdapter("select * from User_Info where Vendor_ID='" + txtHomeUsername.Text.Trim() + "' AND User_Password='" + txtHomePassword.Text.Trim() + "'", SqlCon); 
      var dt1 = new DataTable(); 
      da1.Fill(dt1); 
      if (dt1.Rows.Count == 0) 
      { 
      ScriptManager.RegisterStartupScript(this, this.GetType(), "Alert", "alert('Enter valid Vendor ID and Password');", true); 
      } 
      else 
      { 
      var da = new SqlDataAdapter("select * from User_Info where Vendor_ID='Admin' AND User_Password='123456'", SqlCon); 
       var dt = new DataTable(); 
       da.Fill(dt); 
       if (dt.Rows.Count > 0) 
       { 
       Response.Redirect("~/AdminCompanyInfo.aspx"); 
       } 
       var da2 = new SqlDataAdapter("select * from Company_Info where Vendor_ID='" + txtHomeUsername.Text.Trim() + "' AND Approval_Status='NO' OR        Approval_Status='PEN'", SqlCon); 
       var dt2 = new DataTable(); 
       da2.Fill(dt2); 
       if (dt2.Rows.Count > 0) 
       { 
       string url = "../ApprovalStatus2.aspx?Parameter=" + Server.UrlEncode(txtHomeUsername.Text); 
       ClientScript.RegisterStartupScript(this.GetType(), "callfunction", "alert('Your Vendor ID is waiting for Approval');window.location.href = '" +      url + "';", true); 
       } 
       var da3 = new SqlDataAdapter("select Vendor_ID from RegPage1 where Vendor_ID='" + txtHomeUsername.Text.Trim() + "'", SqlCon); 
       var dt3 = new DataTable(); 
       da3.Fill(dt3); 
       if (dt3.Rows.Count > 0) 
       { 
        string url = "../UserLogin.aspx"; 
        ClientScript.RegisterStartupScript(this.GetType(), "callfunction", "alert('Your Vendor ID already completed the registration');window.location.href = '" + url + "';", true); 
       } 
       else 
       { 
       Response.Redirect("~/RegPage1.aspx?Parameter=" + Server.UrlEncode(txtHomeUsername.Text)); 
       } 
      } 
     } 
     finally 
     { 
      SqlCon.Close(); 
     } 
    }

来源

2012-08-12 Hari

+2

约在某个时候“SQL注入”读... – 2012-08-12 10:11:48

回答

1

试试这个.. 当你建立一个架构考虑这个访问数据库是代码最昂贵的访问。而且更喜欢使用SqlCommand(参数化值)。

var da1 = new SqlDataAdapter("select * from User_Info where Vendor_ID='" + txtHomeUsername.Text.Trim() + "' AND User_Password='" + txtHomePassword.Text.Trim() + "'", SqlCon); 
      var dt1 = new DataTable(); 
      da1.Fill(dt1); 
      if (dt1.Rows.Count == 0) 
      { 
      ScriptManager.RegisterStartupScript(this, this.GetType(), "Alert", "alert('Enter valid Vendor ID and Password');", true); 
      } 
      else 
      { 

      switch(dt.Rows[0]["Vendor_ID"].ToString()) 
       { 
       case "Admin": Response.Redirect("~/AdminCompanyInfo.aspx"); break; 
       //other oprtions goes here... 
       } 
       var da2 = new SqlDataAdapter("select * from Company_Info where Vendor_ID='" + txtHomeUsername.Text.Trim() + "' AND Approval_Status='NO' OR        Approval_Status='PEN'", SqlCon); 
       var dt2 = new DataTable(); 
       da2.Fill(dt2); 
       if (dt2.Rows.Count > 0) 
       { 
       string url = "../ApprovalStatus2.aspx?Parameter=" + Server.UrlEncode(txtHomeUsername.Text); 
       ClientScript.RegisterStartupScript(this.GetType(), "callfunction", "alert('Your Vendor ID is waiting for Approval');window.location.href = '" +      url + "';", true); 
       } 
       var da3 = new SqlDataAdapter("select Vendor_ID from RegPage1 where Vendor_ID='" + txtHomeUsername.Text.Trim() + "'", SqlCon); 
       var dt3 = new DataTable(); 
       da3.Fill(dt3); 
       if (dt3.Rows.Count > 0) 
       { 
        string url = "../UserLogin.aspx"; 
        ClientScript.RegisterStartupScript(this.GetType(), "callfunction", "alert('Your Vendor ID already completed the registration');window.location.href = '" + url + "';", true); 
       } 
       else 
       { 
       Response.Redirect("~/RegPage1.aspx?Parameter=" + Server.UrlEncode(txtHomeUsername.Text)); 
       } 
      }

来源

2012-08-12 09:29:33 hkutluay

+0

感谢reply.Where我检查管理员密码? – Hari 2012-08-12 10:02:38

+0

您在'select * from User_Info Vendor_ID = ..'行查看用户名和密码。 – hkutluay 2012-08-12 11:08:44

相关问题

 相关问题