1

I am developing a web application in ASP.NET (C#) and need to give a user who logs in some rights (reading, writing, editing). Each right has a letter assigned to it (reading - "A", writing - "B", editing - "C"). In an SQL table these rights are written as a string. Aa person who can only read, has the string "A" while a person with all rights has the string "ABC".

In a LogIn form (if login is successful) I read these rights from table and write them into a string (string myRights). Now on my master page I need to read from this string and make some panels visible and others invisible, according to the rights the user has. How can I call that string from another class?

Here is some code I am using:

public partial class LogIn : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e) 
    {
    }

    protected void btnLog_Click(object sender, EventArgs e)
    {
        string myRights = null;

        SqlConnection(ConfigurationManager.ConnectionStrings["dbConn"].ToString());
        myConnection.Open();
        try
        {
            //Password is encripted, so here is some more code that is not relevant for my problem
            SqlDataReader myReader = null;
            SqlCommand myCommand = new SqlCommand("SELECT * FROM myTable WHERE username='" + textboxUsr.Text + "' AND password='" + textboxPwd.text + "'", myConnection);

            myReader = myCommand.ExecuteReader();
            if (myReader.Read())
            {
                //There is some more code here that is not relevant to this problem
                myRights = myReader["rights"].ToString();

            }
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.ToString());
        }
        myConnection.Close();            
    }
}

And here is where I need to use string myRights:

using System;
using System.Collections.Generic;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;

public partial class MasterPage : System.Web.UI.MasterPage
{
    //Here is some more code, that redirects users back to Login screen if they are not loged in...

    PanelMenuRead.Visible = false;
    PanelMenuWrite.Visible = false;
    PanelMenuEdit.Visible = false;

    //HERE IS THE PART I DO NOT NOW HOW. I need to call string myRights from LogIn class
    if (myRights.IndexOf("A") != -1)
    {
        PanelMenuRead.Visible = true;
    }

    if (pravice.IndexOf("B") != -1)
    {
        PanelMenuWrite.Visible = true;
    }

    if (pravice.IndexOf("C") != -1)
    {
        PanelMenuEdit.Visible = true;
    }
}
mindless.panda
  • 4,014
  • 4
  • 35
  • 57
user1080533
  • 865
  • 2
  • 21
  • 35
  • 2
    The code as it stands should never make it to a live site because it suffers from major security vulnerabilities. Please do some research on 'sql injection'. – jeroenh Dec 04 '11 at 21:57
  • Thank you for mentioning it. The code I provided is just a snippet, there is more, but I didnt think it was relevant here. :) I do not store passwords "as they are" in my database. They are encrypted, so in the login form, there is more code that encrypts/decrypts and after that checks if password matches. I am also implementing logging all login attempts including ip. But will look what kind of security could I still add. – user1080533 Dec 05 '11 at 10:56
  • you should never concatenate strings with user input to send to your DB server. Use SqlParameter instead. – jeroenh Dec 05 '11 at 11:04
  • will do. It is my first bigger project using SQL, so any such info is appriciated. :) – user1080533 Dec 05 '11 at 11:37

1 Answers1

2

You can use a session to pass data between pages. Here is a quick tutorial.

jeroenh is right. You should definitively have a look on SQL injections as you Web site is currently vulnerable. The OWASP Web site is a good start. You can find some information on how to resolve the issue here and here.

Community
  • 1
  • 1
Flanfl
  • 516
  • 8
  • 29