1

当用户使用他的 Vendor_ID 和密码登录时,他将根据条件重定向到 2 个不同的页面。如果他已经在网站上注册并且他的注册得到了网络管理员的批准,他将重定向到“RegPage1.aspx”,否则重定向到“ApprovalStatus.aspx”。如果用户输入了错误的 Vendor_ID 或密码,它将抛出错误消息“输入有效的 VendorID 或密码”。所以我写了如下的C#代码。它工作正常,但任何人都可以通过合并两个 SQL 查询来帮助我简单地做到这一点,检查“User_Info”表中的 vendor_ID 可用性和“Company_Info”表中的 ApprovalStatus 检查?

    protected void BtnHomeUserSubmit_Click(object sender, EventArgs e)
    {            
    SqlConnection SqlCon = new SqlConnection(GetConnectionString());  
    try      
    {             
      if ((txtHomeUsername.Text == "") || (txtHomePassword.Text == ""))        
      {               
        ScriptManager.RegisterStartupScript(this, this.GetType(), "Alert", "alert ('Enter valid  VendorID or Password');", true); 
      }             
      else           
      {       
         var da1 = new SqlDataAdapter("select * from User_Info where Vendor_ID='" +  txtHomeUsername.Text.Trim() + "'", SqlCon);                
        var dt1 = new DataTable();          
        da1.Fill(dt1);         
        if (dt1.Rows.Count > 0)        
        {            
         var da2 = new SqlDataAdapter("select * from Company_Info where Approval_Status='NO' AND Vendor_ID='" + txtHomeUsername.Text.Trim() + "'", SqlCon);        
              var dt2 = new DataTable();    
              da2.Fill(dt2);            

         if (dt2.Rows.Count > 0)       
         {            
           string url = "ApprovalStatus.aspx";     
           ClientScript.RegisterStartupScript(this.GetType(), "callfunction", "alert('Your Vendor ID is already registered');window.location.href = '" + url + "';", true);  
         }        
         else          
         {                      
             Response.Redirect("RegPage1.aspx?Parameter=" + Server.UrlEncode (txtHomeUsername.Text));        
         }       
     }          
       ScriptManager.RegisterStartupScript(this, this.GetType(), "Alert", "alert('Enter valid  VendorID or Password');", true);     
         }      
    }       
   finally   
   {      
    SqlCon.Close();    
   }       
   }
4

3 回答 3

0

@mahmoud-gamal 和 @colin-mackay 提出的要点 - 摆脱允许 SQL 注入的代码。 免责声明我没有对此进行测试并且是从内存中编写的,但它应该让您了解如何解决您的问题。

要回答您的问题,它看起来像这样。

逻辑 1) 从 User_Info 表中获取用户并在 Company_info 表上 LEFT JOIN 。结果: 如果没有返回行,则登录/注册无效。如果“任何”行,则检查 Company_info 中是否存在关联记录(空值)。如果不是“NullOrEmpty”,则登录/注册有效。ELSE 供应商已注册。

    using(SqlConnection SqlCon = new SqlConnection(GetConnectionString()) {
        var sqlString = "SELECT u.UserID, c.CompanyID FROM User_Info u LEFT JOIN Company_Info c ON c.VendorID = u.VendorID WHERE u.Vendor_ID = @p_VendorID AND c.Approval_Status='NO'";

        var da1 = new SqlDataAdapter(sqlString, SqlCon);  
        da1.SelectCommand.Parameters.Add("@p_VendorID", SqlDbType.VarChar, 256);
        da1.SelectCommand.Parameters["@p_VendorID"].Value = txtHomeUsername.Text.Trim();

        var dt1 = new DataTable(); 
        da1.Fill(dt1); 
        if(da1.Rows.Any()){     
            string userId = string.Empty;
            string companyId = string.Empty;
            foreach(DataRow row in dt1.Rows){ 
                 userId = row["name"].ToString();
                 companyId = row["description"].ToString();
             }
             if(!string.IsNullOrEmpty(companyId)) {
                string url = "ApprovalStatus.aspx";     
                ClientScript.RegisterStartupScript(this.GetType(), "callfunction", "alert('Your Vendor ID is already registered');window.location.href = '" + url + "';", true);  
             } else {
                Response.Redirect("RegPage1.aspx?Parameter=" + Server.UrlEncode (txtHomeUsername.Text));  
             }          
        } else {
            ScriptManager.RegisterStartupScript(this, this.GetType(), "Alert", "alert('Enter valid VendorID or Password');", true);                 
        }

    }
于 2012-07-11T12:20:48.773 回答
0

首先,您应该保护您的代码免受 SQL 注入

如果你想:

合并两个 SQL 查询,检查“User_Info”表中的 vendor_ID 可用性和“Company_Info”表中的 ApprovalStatus 检查

然后JOIN是两张表:

SELECT * 
FROM User_Info ui
INNER JOIN Company_Info ci On ui.VendorID = ci.VendorID
WHERE ci.Approval_Status='NO'
AND ui.Vendor_ID = @vendor_IdParam
于 2012-07-11T11:54:47.963 回答
0

您可以尝试使用以下 JOIN 查询:

SELECT a.*,b.* FROM user_info a JOIN company_info b on a.vendor_id=b.vendor_id WHERE a.vendor_id='txt_username' AND b.approval_status='NO'
于 2012-07-11T11:57:56.290 回答