如果选择其他选择在C＃窗体中，我如何写 [英] How I write if select else select in C# windows form

问题描述

我想在用户管理员时做一些事情，当用户是用户时再做一些事情。



当用户是管理员时，这是我的代码： -

i want do some thing when user is admin and do another some thing when user is user.

this is my code when user is admin:-

private void btn_OkLogin_Click(object sender, EventArgs e)
        {
            validation();
            if(valideUserName == true && validePassword == true)
            {
                s = "select Role_id from Users where User_name = '" + txt_UserName.Text + "' and Password = '" + txt_Password.Text + "' and Role_id = 1 ";
                sdAdapter = new SqlDataAdapter(s, con);
                dt = new DataTable();
                sdAdapter.Fill(dt);
                if (dt.Rows.Count == 1)
                {
                    string s2 = " insert into LoginAndOutDate(user_name, Login_Date) ";
                    s2 = s2 + " values(@user_name, CURRENT_TIMESTAMP) ";

                    if (con.State == ConnectionState.Closed)
                        con.Open();

                    using (sCommand = new SqlCommand(s2, con))
                    {
                        sCommand.Parameters.AddWithValue("@user_name", txt_UserName.Text);
                        sCommand.ExecuteNonQuery();
                    }

                    if (con.State == ConnectionState.Open)
                        con.Close();

                    this.Hide();
                    FRM_Main frm = new FRM_Main(txt_UserName.Text, true);
                    frm.RefToFormLogin = this;
                    frm.Show();
                    txt_Password.Clear();           
                }

我的尝试：



当用户是用户时，如何编写代码

What I have tried:

How i write code when user is user

推荐答案

对于初学者，不要这样做！

永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。请改用参数化查询。你清楚地知道如何使用它们，因为你是为INSERT查询而做的。



但是......为什么你在用户登录时检索一个Role_id，如果你知道Role_id已经是什么了吗？据推测，Role_id确定用户是用户还是管理员 - 因此只有当他是一个州时才让他登录，或者当他是另一个类型的用户时，另一个特别阻止你做任何事情。

删除SELECT查询的and Role_id = 1部分，并检查返回的值 - 这将告诉您允许用户执行的操作，并且可以直接对其进行测试。

For starters, don't do it like that!
Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead. You clearly know how to use them, because you do for the INSERT query.

But...why are you retrieving a Role_id when your user logs in, if you know what teh Role_id already is? Presumably, the Role_id determines if the user is a User or an Admin - so only letting him log in when he is one state or the other specifically prevents you from doing anything when he is the other "type" of user.
Remove the "and Role_id = 1" part of the SELECT query, and check the returned value - that will tell you what the user is allowed to do and you can test on that directly.

这篇关于如果选择其他选择在C＃窗体中，我如何写的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！