1. 首页
  2. 问答
  3. 通过SQL进行用户认证表

通过SQL进行用户认证表

2014-09-30 148 views
0

我试图在我的应用程序中实现一些安全性。我有一个名为USER_AUTHORIZATION的表,其中包含要使用应用程序的用户的ID的有效单一标记列表。格式为COMPANYNAME \ 111222333,并存储在名为UNAME的字段中。我试图在访问应用程序时执行检查,看看是否当前登录用户位于有效用户表中。如果他们的SSO不在表格中,我想显示一条错误消息。通过SQL进行用户认证表

查看

@model IEnumerable<BillingApp.Models.HOLIDAY_DATE_TABLE> 
@using System.Data; 
@using System.Data.SqlClient; 
@{ 
ViewBag.Title = "Table 8: Holiday Date Table"; 
Layout = "../Shared/Layout2.cshtml"; 
var whoareyoupeople = @User.Identity.Name; 
DateTime date = DateTime.Now; 
string myerrorstring = "User " + whoareyoupeople + " attempted unauthorized access on " + date + "."; 

string connStringswag = "Data Source=SWDB10DSQL;Initial Catalog=BillingUI;Integrated  Security=True;MultipleActiveResultSets=True;Application Name=EntityFramework"; 
using (SqlConnection _connyswagyolo = new SqlConnection(connStringswag)) 
{ 
    _connyswagyolo.Open(); 
    string checkauth = "SELECT COUNT(*) FROM USER_AUTHORIZATION WHERE UNAME == " + whoareyoupeople + ")"; 
    SqlCommand Command223 = new SqlCommand(checkauth, _connyswagyolo); 
    Command223.ExecuteNonQuery(); 
    _connyswagyolo.Close(); 
} 

@section featured2 { 
@if (whoareyoupeople not found in table){ 
    <center><h2 style="color:red">Access Denied for user @User.Identity.Name. You are not authorized to view this application.</h2></center> 
    string fileName = "C:\\BillingExport\\SECURITY\\seclog.txt"; 
    using (FileStream fs = new FileStream(fileName, FileMode.Append, FileAccess.Write)){ 
    using (StreamWriter sw = new StreamWriter(fs)) 
    { 
     sw.WriteLine(myerrorstring); 
    } 
} 
} 
else{ 
    //actual content to be displayed (table information) goes here

我的两个最大的问题是,我怎么形成的if语句来检查查询的结果?此外,我收到错误“CS1513:}预计”。

您会注意到以下代码段在使用sqlconnection行时有一个缺失的结束语breacket。这是因为无论出于何种原因,第一个右括号总是被visual studio 2012认为是代码块的末尾(即@ {})。

更新:我感动的代码到我的控制器

public ActionResult HolidayDateTable() 
    { 
     var whoareyoupeople = User.Identity.Name; 
     DateTime date = DateTime.Now; 
     string myerrorstring = "User " + whoareyoupeople + " attempted unauthorized access on " + date + "."; 

     string connStringswag = "Data Source=SWDB10DSQL;Initial Catalog=BillingUI;Integrated Security=True;MultipleActiveResultSets=True;Application Name=EntityFramework"; 
     using (SqlConnection _connyswagyolo = new SqlConnection(connStringswag)) 
     { 
      _connyswagyolo.Open(); 
      string checkauth = "SELECT COUNT(*) FROM USER_AUTHORIZATION WHERE UNAME == " + whoareyoupeople + ")"; 
      SqlCommand Command223 = new SqlCommand(checkauth, _connyswagyolo); 
      int count = (int)Command223.ExecuteScalar(); 
      _connyswagyolo.Close(); 

      if (count == 0) 
      { 
       return RedirectToAction("AccessDenied"); 
      } 
      else 
      { 
       return View(db.HOLIDAY_DATE_TABLE); 
      } 
     } 
    }

目前收到错误 “附近有语法错误 '='。” 指向行int count =(int)Command223.ExecuteScalar();

更新2:我与我的代码发挥各地,但无论我做什么,提出的解决 诠释计数=(INT)Command223.ExecuteScalar(); 似乎不起作用。以下是我更新的控制器代码。

public ActionResult HolidayDateTable() 
    { 
     var whoareyoupeople = User.Identity.Name; 
     DateTime date = DateTime.Now; 
     string myerrorstring = "User " + whoareyoupeople + " attempted unauthorized access on " + date + "."; 
     string query = "SELECT COUNT(*) FROM USER_AUTHORIZATION WHERE UNAME == " + whoareyoupeople + ")"; 
     SqlConnection conn = new SqlConnection("Data Source=SWDB10DSQL;Initial Catalog=BillingUI;Integrated Security=True;MultipleActiveResultSets=True;Application Name=EntityFramework"); 
     conn.Open(); 
     SqlCommand cmd = conn.CreateCommand(); 
     { 
      cmd.CommandText = string.Format("SELECT COUNT(*) FROM USER_AUTHORIZATION WHERE UNAME == " + whoareyoupeople + ")"); 
      int count = (int)cmd.ExecuteScalar(); 

      if (count == 0) 
      { 
       return RedirectToAction("AccessDenied"); 
      } 
      else 
      { 
       return View(db.HOLIDAY_DATE_TABLE); 
      } 
     } 
     }

更新3:的问题是我的查询字符串,而不是C#代码。我不得不删除等号。现在我遇到的问题是

Incorrect syntax near '\601011308'.

指向int count =(int)cmd.ExecuteScalar();

这是表UNAME字段中值的部分条目。它的前面缺少COMPANYNAME(即:COMPANYNAME \ 601011308)。我认为count应该返回SSO与数据库匹配的数量(即;如果登录的用户SSO为601011308,并且该表存储的应用程序是有效的用户,count应该返回1) 。

最新的控制器代码,这是我在更新3上述问题:

public ActionResult HolidayDateTable() 
    { 
     var whoareyoupeople = User.Identity.Name; 
     DateTime date = DateTime.Now; 
     string myerrorstring = "User " + whoareyoupeople + " attempted unauthorized access on " + date + "."; 
     SqlConnection conn = new SqlConnection("Data Source=SWDB10DSQL;Initial Catalog=BillingUI;Integrated Security=True;MultipleActiveResultSets=True;Application Name=EntityFramework"); 
     conn.Open(); 
     SqlCommand cmd = conn.CreateCommand(); 
     { 
      cmd.CommandText = string.Format("SELECT COUNT(*) FROM AUTHORIZED_USERS WHERE UNAME = " + whoareyoupeople + ")"); 
      int count = (int)cmd.ExecuteScalar(); 

      if (count == 0) 
      { 
       return RedirectToAction("AccessDenied"); 
      } 
      else 
      { 
       return View(db.HOLIDAY_DATE_TABLE); 
      } 
     } 
     }

来源

2014-09-30 Dave

+1

不要从视图中调用数据库,请在控制器中执行此操作。你的观点不应该有复杂的逻辑。 – DLeh 2014-09-30 18:18:56

+0

您是否使用ASP.NET MVC?如果是这样,那么这个逻辑不属于你的观点。它属于控制器,可能位于动作过滤器中。 – 2014-09-30 18:19:06

+0

你想从头开始构建它,而不是依赖内置的东西? http://msdn.microsoft。com/en-us/library/vstudio/eeyk640h(v = vs.100).aspx – Pleun 2014-09-30 18:22:46

回答

0

相反的ExecuteNonQuery(),使用ExecuteScalar()因为Count()自然会返回一个整数。

int count = (int)cmd.ExecuteScalar();实际上是我昨天刚刚实施的。然后你只需在你的else/if声明中使用count。

来源

2014-09-30 18:21:51 JoeManiaci

+0

感谢,请参阅上述更新 – Dave 2014-09-30 18:46:27

+0

为什么使用_作为您的连接? – JoeManiaci 2014-09-30 19:25:35

相关问题

 相关问题