我为普通用户和管理员用户使用相同的登录页面，但在登录后，系统应该将用户带到不同的页面。 [英] I am using same login page for both the general users and admin users but after login, the system should take both the users to different pages.

问题描述

普通用户和管理员用户使用相同的表进行注册。注册表有一个user_type字段，用于创建普通用户和管理员用户之间的区别。两个用户都使用相同的登录屏幕。但成功登录后，登录页面应将用户和管理员指向不同的页面。如果用户类型为1则为admin，如果用户类型为2，则为普通用户。我在登录页面中使用下面的代码，但它似乎是不正确的。请告诉我需要更正的内容。



当我按下登录按钮时，系统显示以下错误。



'，'附近语法不正确'



我尝试过：



SqlConnection con = new SqlConnection（）;

con.ConnectionString =Data Source = .\\sqlexpress; Initial Catalog = college_education; User ID = sa; Password = system; ;

con.Open（）;

string q =select * from user_details where user_name ='+ TextBox1.Text +'，password ='+ TextBox2.Text +'，user_type ='+ TextBox3.Text +';

SqlCommand com = new SqlCommand（q，con）;

SqlDataReader sdr = com .ExecuteReader（）;

if（sdr.Read（））

{

Session [user] = sdr [user_name ];

会话[密码] = sdr [密码];

会话[用户类型] = s dr [user_type = 1];

Response.Redirect（adminfilerecord.aspx）;

general user and admin user use same table for registration. registration table has a user_type field which creates difference between general user and admin user. both the users use same login screen. but after successful login, the login page should direct both the user and admin to different pages. if user type is 1 then it is admin and if user type is 2 then it is general user. i am using below code in the login page but it seems to be incorrect. please let me know what correction is required.

when i am pressing login button, the system is showing below error.

Incorrect syntax near ','

What I have tried:

SqlConnection con = new SqlConnection();
con.ConnectionString = "Data Source=.\\sqlexpress;Initial Catalog=college_education;User ID=sa;Password=system;";
con.Open();
string q = "select * from user_details where user_name='" + TextBox1.Text + "', password='" + TextBox2.Text + "',user_type='"+TextBox3.Text+"'";
SqlCommand com = new SqlCommand(q, con);
SqlDataReader sdr = com.ExecuteReader();
if (sdr.Read())
{
Session["user"] = sdr["user_name"];
Session["password"] = sdr["password"];
Session["user type"] = sdr["user_type=1"];
Response.Redirect("adminfilerecord.aspx");

推荐答案

这里有大量问题：第一个也是最重要的是你必须永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。请改用参数化查询。

登录代码特别重要，因为用户可以绕过安全性或删除数据库，甚至无需登录！在整个代码中修复此 ，或者您最好的伙伴会删除您的数据库只是为了看到您脸上的表情。



第二件事是你的SQL查询是垃圾。如果我删除文本框并将其写出来，因为它将呈现给SQL：

Loads of problems here: The first and most important is that you must never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
Particularly important with login code, since users can bypass your security or delete your database without even having to log in! Fix this first throughout your code, or your best mate will delete your DB just to see the expression on your face.

The second thing is that your SQL query is rubbish. If I remove teh textboxes and write it out as it would be presented to SQL:

select * from user_details where user_name='MyName', password='MyPassword', user_type='MyType'

这是无效的SQL语法：它符合第一个逗号并说在这做什么？您的意思可能是：

That isn't valid SQL syntax: it meets the first comma and says "what is that doing here?" Probably what you meant to say was:

select * from user_details where user_name='MyName' AND password='MyPassword' AND user_type='MyType'

但即便如此，也存在问题：为什么用户必须输入user或admin或其他任何内容才能登录？您的系统知道允许哪个类，所以从数据库而不是用户那里获取它。



第三个是您以明文形式存储密码。这很糟糕，非常糟糕： Code Crime 1 [ ^ ] - 请看这里，它可能会有所帮助：密码存储：怎么做。 [ ^ ]

But even then there are problems: why would your users have to type "user" or "admin" or anything else in order to log in? Your system knows what class they are permitted to be, so fetch that from the DB not the user.

The third is that you are storing passwords in clear text. That's bad, very bad: Code Crime 1[^] - see here, it may help: Password Storage: How to do it.[^]

使用switch case和break语句如



string userType = sdr [user_type];

use switch case and break statement like

string userType=sdr["user_type];

switch(userType)
{
    case "Admin":
          Response.Redirect("adminPage.aspx");
          break;
    case "GeneralUser":
          Response.Redirect("genUserPage.aspx");
          break;
    default:
          Response.Redirect("SomePage.aspx");
          break;
}

这篇关于我为普通用户和管理员用户使用相同的登录页面，但在登录后，系统应该将用户带到不同的页面。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！