我试图在我的应用程序中实现一些安全性。我有一个名为USER_AUTHORIZATION的表,其中包含要使用应用程序的用户的ID的有效单一标记列表。格式为COMPANYNAME \ 111222333,并存储在名为UNAME的字段中。我试图在访问应用程序时执行检查,看看是否当前登录用户位于有效用户表中。如果他们的SSO不在表格中,我想显示一条错误消息。通过SQL进行用户认证表
查看
@model IEnumerable<BillingApp.Models.HOLIDAY_DATE_TABLE>
@using System.Data;
@using System.Data.SqlClient;
@{
ViewBag.Title = "Table 8: Holiday Date Table";
Layout = "../Shared/Layout2.cshtml";
var whoareyoupeople = @User.Identity.Name;
DateTime date = DateTime.Now;
string myerrorstring = "User " + whoareyoupeople + " attempted unauthorized access on " + date + ".";
string connStringswag = "Data Source=SWDB10DSQL;Initial Catalog=BillingUI;Integrated Security=True;MultipleActiveResultSets=True;Application Name=EntityFramework";
using (SqlConnection _connyswagyolo = new SqlConnection(connStringswag))
{
_connyswagyolo.Open();
string checkauth = "SELECT COUNT(*) FROM USER_AUTHORIZATION WHERE UNAME == " + whoareyoupeople + ")";
SqlCommand Command223 = new SqlCommand(checkauth, _connyswagyolo);
Command223.ExecuteNonQuery();
_connyswagyolo.Close();
}
@section featured2 {
@if (whoareyoupeople not found in table){
<center><h2 style="color:red">Access Denied for user @User.Identity.Name. You are not authorized to view this application.</h2></center>
string fileName = "C:\\BillingExport\\SECURITY\\seclog.txt";
using (FileStream fs = new FileStream(fileName, FileMode.Append, FileAccess.Write)){
using (StreamWriter sw = new StreamWriter(fs))
{
sw.WriteLine(myerrorstring);
}
}
}
else{
//actual content to be displayed (table information) goes here
我的两个最大的问题是,我怎么形成的if语句来检查查询的结果?此外,我收到错误“CS1513:}预计”。
您会注意到以下代码段在使用sqlconnection行时有一个缺失的结束语breacket。这是因为无论出于何种原因,第一个右括号总是被visual studio 2012认为是代码块的末尾(即@ {})。
更新:我感动的代码到我的控制器
public ActionResult HolidayDateTable()
{
var whoareyoupeople = User.Identity.Name;
DateTime date = DateTime.Now;
string myerrorstring = "User " + whoareyoupeople + " attempted unauthorized access on " + date + ".";
string connStringswag = "Data Source=SWDB10DSQL;Initial Catalog=BillingUI;Integrated Security=True;MultipleActiveResultSets=True;Application Name=EntityFramework";
using (SqlConnection _connyswagyolo = new SqlConnection(connStringswag))
{
_connyswagyolo.Open();
string checkauth = "SELECT COUNT(*) FROM USER_AUTHORIZATION WHERE UNAME == " + whoareyoupeople + ")";
SqlCommand Command223 = new SqlCommand(checkauth, _connyswagyolo);
int count = (int)Command223.ExecuteScalar();
_connyswagyolo.Close();
if (count == 0)
{
return RedirectToAction("AccessDenied");
}
else
{
return View(db.HOLIDAY_DATE_TABLE);
}
}
}
目前收到错误 “附近有语法错误 '='。” 指向行int count =(int)Command223.ExecuteScalar();
更新2:我与我的代码发挥各地,但无论我做什么,提出的解决 诠释计数=(INT)Command223.ExecuteScalar(); 似乎不起作用。以下是我更新的控制器代码。
public ActionResult HolidayDateTable()
{
var whoareyoupeople = User.Identity.Name;
DateTime date = DateTime.Now;
string myerrorstring = "User " + whoareyoupeople + " attempted unauthorized access on " + date + ".";
string query = "SELECT COUNT(*) FROM USER_AUTHORIZATION WHERE UNAME == " + whoareyoupeople + ")";
SqlConnection conn = new SqlConnection("Data Source=SWDB10DSQL;Initial Catalog=BillingUI;Integrated Security=True;MultipleActiveResultSets=True;Application Name=EntityFramework");
conn.Open();
SqlCommand cmd = conn.CreateCommand();
{
cmd.CommandText = string.Format("SELECT COUNT(*) FROM USER_AUTHORIZATION WHERE UNAME == " + whoareyoupeople + ")");
int count = (int)cmd.ExecuteScalar();
if (count == 0)
{
return RedirectToAction("AccessDenied");
}
else
{
return View(db.HOLIDAY_DATE_TABLE);
}
}
}
更新3:的问题是我的查询字符串,而不是C#代码。我不得不删除等号。现在我遇到的问题是
Incorrect syntax near '\601011308'.
指向int count =(int)cmd.ExecuteScalar();
这是表UNAME字段中值的部分条目。它的前面缺少COMPANYNAME(即:COMPANYNAME \ 601011308)。我认为count应该返回SSO与数据库匹配的数量(即;如果登录的用户SSO为601011308,并且该表存储的应用程序是有效的用户,count应该返回1) 。
最新的控制器代码,这是我在更新3上述问题:
public ActionResult HolidayDateTable()
{
var whoareyoupeople = User.Identity.Name;
DateTime date = DateTime.Now;
string myerrorstring = "User " + whoareyoupeople + " attempted unauthorized access on " + date + ".";
SqlConnection conn = new SqlConnection("Data Source=SWDB10DSQL;Initial Catalog=BillingUI;Integrated Security=True;MultipleActiveResultSets=True;Application Name=EntityFramework");
conn.Open();
SqlCommand cmd = conn.CreateCommand();
{
cmd.CommandText = string.Format("SELECT COUNT(*) FROM AUTHORIZED_USERS WHERE UNAME = " + whoareyoupeople + ")");
int count = (int)cmd.ExecuteScalar();
if (count == 0)
{
return RedirectToAction("AccessDenied");
}
else
{
return View(db.HOLIDAY_DATE_TABLE);
}
}
}
不要从视图中调用数据库,请在控制器中执行此操作。你的观点不应该有复杂的逻辑。 – DLeh 2014-09-30 18:18:56
您是否使用ASP.NET MVC?如果是这样,那么这个逻辑不属于你的观点。它属于控制器,可能位于动作过滤器中。 – 2014-09-30 18:19:06
你想从头开始构建它,而不是依赖内置的东西? http://msdn.microsoft。com/en-us/library/vstudio/eeyk640h(v = vs.100).aspx – Pleun 2014-09-30 18:22:46