用户和管理员登录页面 [英] User and admin login page
问题描述
我不知道如何在control-panel.aspx页面上重定向用户以及admin.aspx页面上的管理员。
我试过这个但是没有工作。
请帮助
我的尝试:
I dont know how to redirect users on control-panel.aspx page and admin on admin.aspx page.
I have tried this but not working.
Please help
What I have tried:
<pre> protected void Button1_Click(object sender, EventArgs e)
{
string user = TextBox1.Text.Trim();
cmd.CommandText = "select* from Users where Email='" + TextBox1.Text + "' and Password= '"+ TextBox2.Text +"'";
cmd.Connection = con;
sda.SelectCommand = cmd;
sda.Fill(ds, "Users");
SqlCommand check_User_Name = new SqlCommand("SELECT count([Role]) Users WHERE ([Role] = 'Admin' ");
check_User_Name.CommandType = CommandType.Text;
SqlDataAdapter sdaa = new SqlDataAdapter(check_User_Name);
DataTable dt = new DataTable();
sdaa.Fill(dt);
if (ds.Tables[0].Rows.Count > 0)
{
if (dt.Rows.Count > 0)
{
Response.Redirect("Admin.aspx");
}
else
{
Session["user"] = user;
Response.Redirect("Control-Panel.aspx");
}
}
else
{
ScriptManager.RegisterStartupScript(this, this.GetType(), "Message", "alert('Something gone wrong');", true);
}
}
推荐答案
对于初学者,不要这样做!这里有很多错误...
1)永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。改为使用参数化查询。
连接字符串时会导致问题,因为SQL会收到如下命令:
For starters, don't do it like that! So many things wrong here...
1) Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
When you concatenate strings, you cause problems because SQL receives commands like:
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'就SQL而言,用户添加的引号会终止字符串,并且您会遇到问题。但情况可能更糟。如果我来并改为输入:x'; DROP TABLE MyTable; - 然后SQL收到一个非常不同的命令:
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'哪个SQL看作三个单独的命令:
Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';完全有效的SELECT
A perfectly valid SELECT
DROP TABLE MyTable;完全有效的删除表格通讯和
A perfectly valid "delete the table" command
--'其他一切都是评论。
所以它确实:选择任何匹配的行,从数据库中删除表,并忽略其他任何内容。
所以总是使用参数化查询!或者准备好经常从备份中恢复数据库。你经常定期备份,不是吗?
并在网站的登录页面上进行备份?任何人,任何地方都可以做他们想做的事情?这几乎是犯罪愚蠢。
2)绝不以明文形式存储密码 - 这是一个主要的安全风险。有关如何在此处执行此操作的信息:密码存储:如何做到这一点。 [ ^ ]将它与SQL注入相结合,我可以根据需要以我想要的方式登录,甚至不知道单个密码...
3)让你的SQL正确。
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.
So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
And doing it on the login page for a website? Where anyone, anywhere can do what they want? That's almost criminally silly.
2) Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^] Combine that with teh SQL Injection, and I can log in as who I want, when I want, without even knowinhg a single password...
3) Get your SQL right.
new SqlCommand("SELECT count([Role]) Users WHERE ([Role] = 'Admin' ");在用户之前没有FROM会导致SQL异常。
在整个应用程序中按优先顺序修复这些内容:或者你将失去你的数据库 - 你最好的伙伴会尝试看看会发生什么,只是为了看看你的脸......
Without a 'FROM' before 'Users' that will cause an SQL exception.
Fix these, in that order as a matter of priority throughout your whole app: or you will lose your database - heck you best mate will try it to see what happens and just to see the look on your face...
SELECT count([Role]) Users WHERE ([Role] = 'Admin'
这是无效的,没有来自并且您没有关闭最后一个括号
This isn't valid, there is no "from" and you aren't closing the last parenthesis
SELECT count([Role]) from Users WHERE ([Role] = 'Admin')
其次,如果您认为此声明中的用户正在访问您在此处创建的用户表格;
Secondly if you think "Users" in this statement is accessing the "Users" table you created here;
sda.Fill(ds, "Users");
然后它不是。无论您的用户表中是否有一个名为Role的字段,那么您不需要第二个命令,您已经在ds的Users表中拥有了所需的数据。检查行数是1,如果它被读取数据表第一行的角色字段,那将为您提供该用户的角色。
正如OriginalGriff已经指出的那样,你在这里所做的一切都很糟糕:)我将通过声明你的设计意味着一个人只能在一个角色中添加他的评论,但我感谢你只是想要得到基础工作。
Then it isn't. Regardless if you have a field called "Role" in your users table then you don't need the second command, you already have the data you need in the "Users" table in "ds". Check the count of rows is 1 and if it is read the "Role" field of the first row of the data table and that will give you that user's role.
As OriginalGriff has already pointed out, literally everything you are doing here is bad :) I'll add to his comments by stating that your design means a person can only be in one role, but I appreciate you're just trying to get the basics working.
试试这个
Try this
if (ds.Tables[0].Rows.Count > 0)
{
DataTable dtUsers = ds.Tables["Users"];
Session["user"] = user;
if (dtUsers.Rows.Count == 1) // it should return only one row
{
if (dtUsers.Rows[0]["Role"].ToString() == "Admin")
Response.Redirect("Admin.aspx");
else
Response.Redirect("Control-Panel.aspx");
}
else
{
Response.Redirect("Control-Panel.aspx");
}
}
else
{
ScriptManager.RegisterStartupScript(this, this.GetType(), "Message", "alert('Something gone wrong');", true);
}
由于您已将用户信息填充到数据集中,因此无需再次查询该角色要检查角色,你应该从它自己的数据集中获取角色信息。
注意:连接sql查询字符串是易受攻击到 SQL注入 [ ^ ]攻击,始终使用参数化查询以防止SQL Server中的SQL注入攻击[ [ ^ ]
您应删除这些代码
Since you have already filled the user information into the dataset, there is no need to query the role once again to check the role, you shall get the role information from the dataset it self.
Note: Concatenating the sql Query string is vulnerable to SQL Injection[^] attacks,always use Parameterized queries to prevent SQL Injection Attacks in SQL Server[[^]
you shall remove these codes
SqlCommand check_User_Name = new SqlCommand("SELECT count([Role]) Users WHERE ([Role] = 'Admin' ");
check_User_Name.CommandType = CommandType.Text;
SqlDataAdapter sdaa = new SqlDataAdapter(check_User_Name);
DataTable dt = new DataTable();
sdaa.Fill(dt);
这篇关于用户和管理员登录页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
