自定义登录ASP.NET C＃ [英] Custom Login ASP.NET C#

问题描述

我目前在做ASP.NET自定义登录。我已经修改了登录控制的code用我的数据库，而不是将ASPNET表。这里是我的code的样本;

I'm currently making a custom login in ASP.NET. I've modified the code of the Login Control to use my database instead of the Aspnet table. Here's a sample of my code;

using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Data.SqlClient;


public partial class Login : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }

    // Custom login control
    protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
    {
        try
        {
            string uname = Login1.UserName.Trim();
            string password = Login1.Password.Trim();

            bool flag = AuthenticateUser(uname, password);
            if (flag == true)
            {
                e.Authenticated = true;
                Login1.DestinationPageUrl = "Default.aspx";
            }
            else
                e.Authenticated = false;
        }
        catch (Exception)
        {
            e.Authenticated = false;
        }
    }

    private bool AuthenticateUser(string uname, string password)
    {
        bool bflag = false;
        string connString = "Server=DEVSERVER;User ID=sa;Password=whatpassword;Database=CommonUser";
string connstring2 = "Server=DEVSERVER;User ID=sa;Password=whatpassword;Database=Admins";
        string strSQL = "Select * from dbo.Users where Username ='" + uname + "' and Password ='" + password + "'";
        DataSet userDS = new DataSet();
        SqlConnection m_conn;
        SqlDataAdapter m_dataAdapter;
        SqlCommand m_Command;
        try
        {
            m_conn = new SqlConnection(connString);
            m_conn.Open();
            m_dataAdapter = new SqlDataAdapter(strSQL, m_conn);
            m_dataAdapter.Fill(userDS);
            m_conn.Close();
        }
        catch (Exception)
        {
            userDS = null;
        }

        if (userDS != null)
        {
            if (userDS.Tables[0].Rows.Count > 0)
                bflag = true;
        }
        return bflag;

    }
}

我对Admin用户另一个数据库。所以我的问题是我怎么可以把它检查数据库的管理员用户。此外，我怎么可以限制就好〜管理员/ AdminPages.aspx某些页面普通用户？目前，我试图找出<一个href=\"http://stackoverflow.com/questions/1348832/asp-net-deny-access-on-certain-pages-to-users\">This.

任何帮助将是非常美联社preciated;）

Any help would be much appreciated ;)

在此先感谢

推荐答案

好了，我要这样说，但知道我的意思是在最好的可能的方式...

Ok, so I am going to say this, but know that I mean it in the nicest possible way...

您这样做是错的！

我并不是在反对使用自定义数据库虽然Asp.Net <一的href=\"http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.aspx\">already有这种内置的。我还没有在反对手的方法编码这个时候你可能会使用非常的不错可插拔的提供者模型的是Asp.Net内置了什么，我在反对这是code有多宽打开是一个的Sql注入攻击。

I'm not arguing against the use of a custom database although Asp.Net already has this built in. I'm not even arguing against hand coding this in a method when you could be using the very nice pluggable provider model that Asp.Net has built in. What I am arguing against is how wide open this code is to a Sql Injection attack.

考虑一秒钟，如果我在 X类型会发生什么; DROP TABLE用户; - 作为用户名？ 坏事MAN !!!!

Consider for a second what would happen if I typed in x'; DROP TABLE Users; -- as the username? BAD THINGS MAN!!!!

好了，认真地跟着我摆在那里的联系，并请请请最起码的使用参数化查询！

Ok, so seriously follow the links I put in there and please please please at the very least use parameterized queries!

这篇关于自定义登录ASP.NET C＃的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！