0

I am a bit stuck in my project. I have a login page, 2 text boxes where you enter Username and Password. What I'm having trouble with is that I need to determine if the user that logs in, is a basic user or an administrator. If it's a basic user then go to menu 1 (for basic user) and if its an admin then go to menu 2 (for admin). In my database I have the column 'Permission' where the user is either a Basic user or an admin. So basically, how do I check to see whether the user thats attempting to sign in is an "Admin" or BasicUser" under the Permission column. Any help would be greatly, greatly appreciated!

user3474069
  • 13
  • 8
  • If the user authenticates successfully just select the permission from the database to see... – Lotok Apr 04 '14 at 16:02
  • 1
    What's your rationale for avoiding membership? If you're starting from scratch, why not use Asp.net Identity? Rolling your own authentication is an inherently dangerous activity. – spender Apr 04 '14 at 16:08
  • Select the permission from the database to see....? Ahh, what? If the user authenticates successfully then I want to check to see if that user has a permission of "BasicUser" or "Admin" in that column. If it is Admin then go to Admin Menu page, if it is BasicUser then go to BasicUser Menu page. – user3474069 Apr 04 '14 at 16:13
  • @user3474069 Well, if you're _avoiding Membership_, then whatever scheme you are using for auth should obtain that "role" from the "permission column" and, as you stated, control the process from that point on - (i.e. persisted some way so the "role" is preserved for each/every request for a resource). – EdSF Apr 04 '14 at 16:55
  • possible duplicate of [How can I check if a user is in any one of a few different roles with MVC4 Simple membership?](http://stackoverflow.com/questions/14477757/how-can-i-check-if-a-user-is-in-any-one-of-a-few-different-roles-with-mvc4-simpl) – jww Apr 04 '14 at 17:14

2 Answers2

0

For authentication : Check for the user name and password in the database. If the user exists (authenticated) then return the permission column value from database. You will do this using stored procedure.

Based on this value Assuming the permission column has 1 - Admin and 0 - Basic

if (PermissionValue )
{
 // go to Admin menu
}
else {
// go to Basic menu
}
Vahi
  • 605
  • 1
  • 8
  • 17
-1

maybe something like this?

        //create a SqlConnection
        string connStr = "your connection string";
        SqlConnection conn = new SqlConnection(connStr);

        //Create a database reader
        conn.Open();

        //create a new SqlParameter
        //                        your username textbox ↓    
        myparm = new SqlParameter("@username",usernameTextBox.Text);

        //                     your username column ↓    
        string sql = "select * from users where username=@username";
        SqlCommand cmd = new SqlCommand(sql, conn);
        SqlDataReader reader = cmd.ExecuteReader();

        //Assume that the permission column has true for Admin and false for Basic user
        bool permission = false;

        while (reader.Read())
        {
             //reads permission column
             permission = Convert.ToBoolean(reader["permission"]);
        }

        conn.Close();

        if (permission == true)
        {
             //go to admin menu
        }
        else
        {
             //go to basic users menu
        }
JoJo
  • 806
  • 1
  • 13
  • 26
  • This almost works, I did some tweeking and I finally got it. Thanks so much for your help! :D – user3474069 Apr 04 '14 at 18:26
  • @user3474069 - and if you're using similar code, your site is now susceptible to sql injection attacks – Erik Funkenbusch Apr 07 '14 at 15:57
  • No no no no no. Erik is right. This code is pure evil. If i find your site, i could probably delete your database. **DO NOT CONCATENATE USER SUPPLIED STRINGS INTO SQL STATEMENTS**. You'd be very foolish to use such code. Learn about sql injection. Pay attention to my previous comment to the original question. Rolling your own authentication is an inherently dangerous activity. – spender Apr 09 '14 at 00:28
  • I found this question : [How to prevent a SQL Injection escaping strings](http://stackoverflow.com/questions/6547986/how-to-prevent-a-sql-injection-escaping-strings). Is this how to fix it? – JoJo Apr 09 '14 at 06:34
  • @jojo Yes that would be much better. – spender Apr 09 '14 at 11:45
  • ok i will edit it ;) thanks for your warning. i did not know about SQL-injection attacks. – JoJo Apr 09 '14 at 12:00