检查角色,用户名和密码,并在欢迎页面mvc5上重定向
本文关键字:重定向 mvc5 用户 角色 检查 密码 | 更新日期: 2023-09-27 18:08:42
我正在创建一个web应用程序在mvc 5在我的登录表单我有2个文本框,一个按钮还有一个span,如果用户提供了错误的信息那么文本应该是可见的
<div style="margin-top:20px;">
<span>
<select style="width:275px; height:45px; font-size:15px; font-family:Verdana;" class="ddl">
<option>Select Your Role</option>
<option>Super Admin</option>
<option>Admin</option>
<option>Company</option>
<option>Unit</option>
<option selected="selected">Trainer</option>
<option>Employee</option>
<option>Partner Manager</option>
<option>Regional Partner Manager</option>
<option>Assistant Partner Manager</option>
<option>Zonal Partner Manager</option>
<option>LLT</option>
</select>
</span>
</div>
<div class="col-xs-offset-0" style="margin-top:15px;">
<span>
<input type="text" id="txtusrname" class="ddl txtbo" style="width:275px; height:45px; font-size:15px; font-family:Verdana;" placeholder="Username" />
</span>
</div>
<div class="col-xs-offset-0" style="margin-top:15px;">
<span>
<input type="text" class="ddl txtbo" id="txtpass" style="width:275px; height:45px; font-size:15px; font-family:Verdana;" placeholder="Password" />
</span>
</div>
<div class="imagediv" style="">
<input id="btnerp" type="button" class="btn btn-default btnspacererp" style="" width="200" height="34" value="Login" />
</div>
<div class="" style="margin-top:20px; Width:auto; Height:34px; margin-left:-20px;">
<span style="font-size:14px; visibility:hidden; font-family:Verdana; color:red;">Incorrect Login Credential!!!!</span>
</div>
,我从webservice传递所有登录信息,我的webservice将检查(下拉列表,用户名和密码),如果用户提供的信息(下拉列表,用户名和密码)是正确的,那么页面应该重定向到欢迎页面,否则它应该显示span消息
[WebMethod]
public string getlogintype(string role, string username, string password)
{
SqlConnection con = new SqlConnection("connectionstring");
List<object> login = new List<object>();
if (role == "Admin" || role == "Super Admin")
{
SqlCommand cmd = new SqlCommand("select * from [admin] where userid='" + username + "' and pass ='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
fals = null;
tru = "true";
//HttpContext.Current.Session["tru"] = tru.ToString();
// want to redirect to welcome page if condition satisfied.
}
else
{
tru = null;
fals = "false";
//want to show the label error message(declare as string errormsg)
}
con.Close();
}
else if (role == "Company")
{
SqlCommand cmd = new SqlCommand("select * from companydetails where comid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
tru = "true";
}
else
{
fals = "false";
}
con.Close();
}
else if (role == "Unit")
{
SqlCommand cmd = new SqlCommand("select * from companyallot where email='" + username + "' and password='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
tru = "true";
}
else
{
fals = "false";
}
con.Close();
}
else if (role == "Trainer")
{
SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
tru = "true";
}
else
{
fals = "false";
}
con.Close();
}
else if (role == "Employee")
{
SqlCommand cmd = new SqlCommand("select * from employee details where empid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
tru = "true";
}
else
{
fals = "false";
}
con.Close();
}
else if (role == "Partner Manager")
{
SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
SqlDataReader dr = cmd.ExecuteReader();
while (dr.Read())
{
strname = dr["empname"].ToString();
}
con.Close();
con.Open();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
SqlCommand cmdvalid = new SqlCommand("select comname from companydetails where pm='" + strname + "'", con);
SqlDataAdapter davalid = new SqlDataAdapter(cmdvalid);
DataSet ds = new DataSet();
davalid.Fill(ds);
if (ds.Tables[0].Rows.Count != 0)
{
tru = "true";
}
else
{
fals = "false";
}
}
con.Close();
}
else if (role == "Regional Partner Manager")
{
SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
SqlDataReader dr = cmd.ExecuteReader();
while (dr.Read())
{
strname = dr["empname"].ToString();
}
con.Close();
con.Open();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
SqlCommand cmdvalid = new SqlCommand("select trainer from rpmallot where trainer='" + strname + "'", con);
SqlDataAdapter davalid = new SqlDataAdapter(cmdvalid);
DataSet ds = new DataSet();
davalid.Fill(ds);
if (ds.Tables[0].Rows.Count != 0)
{
tru = "true";
}
else
{
fals = "false";
}
}
con.Close();
}
else if (role == "Assistant Partner Manager")
{
SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
SqlDataReader dr = cmd.ExecuteReader();
while (dr.Read())
{
strname = dr["empname"].ToString();
}
con.Close();
con.Open();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
SqlCommand cmdvalid = new SqlCommand("select apm from companydetails where apm='" + strname + "'", con);
SqlDataAdapter davalid = new SqlDataAdapter(cmdvalid);
DataSet ds = new DataSet();
davalid.Fill(ds);
if (ds.Tables[0].Rows.Count != 0)
{
tru = "true";
}
else
{
fals = "false";
}
}
con.Close();
}
else if (role == "Zonal Partner Manager")
{
SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
SqlDataReader dr = cmd.ExecuteReader();
while (dr.Read())
{
strname = dr["empname"].ToString();
}
con.Close();
con.Open();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
SqlCommand cmdvalid = new SqlCommand("select trainer from zonerpm where trainer='" + strname + "'", con);
SqlDataAdapter davalid = new SqlDataAdapter(cmdvalid);
DataSet ds = new DataSet();
davalid.Fill(ds);
if (ds.Tables[0].Rows.Count != 0)
{
tru = "true";
}
else
{
fals = "false";
}
}
con.Close();
}
else if (role == "LLT")
{
SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "' and type='" + role + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter();
DataTable dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
tru = "true";
}
else
{
fals = "false";
}
con.Close();
}
string finalreturn = "";
if(fals=="false")
{
finalreturn = fals.ToString();
}
else if(tru=="true")
{
finalreturn = tru.ToString();
}
return finalreturn.ToString();
}
}
如果用户信息为真,此web服务将返回真;如果提供的用户名、密码或角色为假,则该信息将传递到操作结果页面,其中我有三个字符串(用户名、密码、角色)我想在会话中获取他的所有登录信息,并将用户重定向到欢迎页面
public ActionResult Login(string role, string username, string password)
{
//required code
}
这是我的actionresult,我需要在这里传递它来验证并重定向到欢迎页面
- 你应该使用ajax请求将表单传递给web服务。如果webservice返回true,那么将表单提交给控制器。
虽然最重要的是,如果你的表单直接提交到你发布的方法,那么它是开放的sql注入意味着你的验证例程不是真正安全的,即使在最基本的意义上。
查看参数化的Sql命令来关闭vuln
试试这个。需要使用Html.BeginForm
提交表单,请求由action方法处理。从那里(动作方法)调用getlogintype()。根据getlogintype()的返回值在ViewBag中设置消息或字符串,并使用ViewBag.Message
将其传递给视图。
@using (Html.BeginForm("Login", "ControllerName", FormMethod.Post ))
{
<div style="margin-top:20px;">
<span>
<select style="width:275px; height:45px; font-size:15px; font-family:Verdana;" class="ddl" name="roleSelect">
<option>Select Your Role</option>
<option>Super Admin</option>
<option>Admin</option>
<option>Company</option>
<option>Unit</option>
<option selected="selected">Trainer</option>
<option>Employee</option>
<option>Partner Manager</option>
<option>Regional Partner Manager</option>
<option>Assistant Partner Manager</option>
<option>Zonal Partner Manager</option>
<option>LLT</option>
</select>
</span>
</div>
<div class="col-xs-offset-0" style="margin-top:15px;">
<span>
<input type="text" id="txtusrname" class="ddl txtbo" name="txtusrname" style="width:275px; height:45px; font-size:15px; font-family:Verdana;" placeholder="Username" />
</span>
</div>
<div class="col-xs-offset-0" style="margin-top:15px;">
<span>
<input type="text" class="ddl txtbo" id="txtpass" name="txtpass" style="width:275px; height:45px; font-size:15px; font-family:Verdana;" placeholder="Password" />
</span>
</div>
<div class="imagediv" style="">
<input id="btnerp" type="button" class="btn btn-default btnspacererp" style="" width="200" height="34" value="Login" />
</div>
<div style="margin-top:20px; Width:auto; Height:34px; margin-left:-20px;">
<span style="font-size:14px;font-family:Verdana; color:red;">@ViewBag.Message</span>
</div>
}
控制器public ActionResult Login()
{
return View();
}
[HttpPost]
public ActionResult Login(FormCollection form)
{
string role = form["roleSelect"];
string username = form["txtusrname"];
string password = form["txtpass"];
webservice.loginservice a= new webservice.loginservice()
string xyz = a.getlogintype(role, username, password);
if(xyz== "true")
{
return RedirectToAction("Welcome_ActionMethod", "Welcome_Controller");
}
else
{
ViewBag.Message = "Incorrect Login Credential!!!!";
return View();
}
}