前台代码:
<%
@ Page Language
=
"
C#
"
AutoEventWireup
=
"
true
"
CodeFile
=
"
Default.aspx.cs
"
Inherits
=
"
_Default
"
%>
<! DOCTYPE html PUBLIC " -//W3C//DTD XHTML 1.0 Transitional//EN " " http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd " >
< html xmlns = " http://www.w3.org/1999/xhtml " >
< head runat = " server " >
< title > 无标题页 </ title >
< style type = " text/css " >
<!--
#loginbk
{
width: 640px;
height: 300px;
background - image: url(images / OA_logo.jpg);
position: relative;
top: 100px;
}
#login
{
margin - top: 205px;
font - size: 12px;
margin - left: 20px;
}
.boxInput
{
font - size: 12px;
border - bottom: black 1px solid;
border - top - style: none;
border - right - style: none;
border - left - style: none;
background - color: transparent;
}
#copyright
{
font - size: 12px;
color: black;
}
#alignbk
{
vertical - align: middle;
text - align: center;
}
#Validators
{
font - size: 12px;
vertical - align: middle;
text - align: center;
}
-->
</ style >
</ head >
< body >
< form id = " form1 " runat = " server " >
< div id = " Validators " >
< asp:RequiredFieldValidator ID = " RequiredFieldValidator1 " runat = " server " ErrorMessage = " 密码不能为空! " ControlToValidate = " boxPassword " ></ asp:RequiredFieldValidator >
< asp:Label ID = " Alert " runat = " server " Text = " 警告: " Visible = " False " ></ asp:Label >
</ div >
< div id = " alignbk " >
& nbsp; < div id = " loginbk " >
< div id = " login " >
< table style = " width: 550px " >
< tr >
< td style = " width: 16px " >
< img src = " images/AdminUser.gif " /></ td >
< td style = " width: 205px " >
帐号: < asp:TextBox ID = " boxUserName " runat = " server " CssClass = " boxInput " ></ asp:TextBox ></ td >
< td style = " width: 12px " >
< img src = " images/AdminPWD.gif " /></ td >
< td style = " width: 208px " >
密码: < asp:TextBox ID = " boxPassword " runat = " server " CssClass = " boxInput " TextMode = " Password " ></ asp:TextBox ></ td >
< td style = " width: 100px " >
< asp:ImageButton ID = " btnLogin " runat = " server " ImageUrl = " ~/images/AdminLogin.gif " OnClick = " btnLogin_Click " /></ td >
</ tr >
</ table >
</ div >
< div id = " copyright " >
主办: & nbsp; & nbsp; & nbsp; & nbsp; Copyright & copy; 2006 < a href = " http://single.dlut.edu.cn " >
Single </ a > All Rights
Reserved. </ div >
</ div >
</ div >
</ form >
</ body >
</ html >
<! DOCTYPE html PUBLIC " -//W3C//DTD XHTML 1.0 Transitional//EN " " http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd " >
< html xmlns = " http://www.w3.org/1999/xhtml " >
< head runat = " server " >
< title > 无标题页 </ title >
< style type = " text/css " >
<!--
#loginbk
{
width: 640px;
height: 300px;
background - image: url(images / OA_logo.jpg);
position: relative;
top: 100px;
}
#login
{
margin - top: 205px;
font - size: 12px;
margin - left: 20px;
}
.boxInput
{
font - size: 12px;
border - bottom: black 1px solid;
border - top - style: none;
border - right - style: none;
border - left - style: none;
background - color: transparent;
}
#copyright
{
font - size: 12px;
color: black;
}
#alignbk
{
vertical - align: middle;
text - align: center;
}
#Validators
{
font - size: 12px;
vertical - align: middle;
text - align: center;
}
-->
</ style >
</ head >
< body >
< form id = " form1 " runat = " server " >
< div id = " Validators " >
< asp:RequiredFieldValidator ID = " RequiredFieldValidator1 " runat = " server " ErrorMessage = " 密码不能为空! " ControlToValidate = " boxPassword " ></ asp:RequiredFieldValidator >
< asp:Label ID = " Alert " runat = " server " Text = " 警告: " Visible = " False " ></ asp:Label >
</ div >
< div id = " alignbk " >
& nbsp; < div id = " loginbk " >
< div id = " login " >
< table style = " width: 550px " >
< tr >
< td style = " width: 16px " >
< img src = " images/AdminUser.gif " /></ td >
< td style = " width: 205px " >
帐号: < asp:TextBox ID = " boxUserName " runat = " server " CssClass = " boxInput " ></ asp:TextBox ></ td >
< td style = " width: 12px " >
< img src = " images/AdminPWD.gif " /></ td >
< td style = " width: 208px " >
密码: < asp:TextBox ID = " boxPassword " runat = " server " CssClass = " boxInput " TextMode = " Password " ></ asp:TextBox ></ td >
< td style = " width: 100px " >
< asp:ImageButton ID = " btnLogin " runat = " server " ImageUrl = " ~/images/AdminLogin.gif " OnClick = " btnLogin_Click " /></ td >
</ tr >
</ table >
</ div >
< div id = " copyright " >
主办: & nbsp; & nbsp; & nbsp; & nbsp; Copyright & copy; 2006 < a href = " http://single.dlut.edu.cn " >
Single </ a > All Rights
Reserved. </ div >
</ div >
</ div >
</ form >
</ body >
</ html >
CS代码:
using
System;
using System.Data;
using System.Configuration;
using System.Collections;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Data.SqlClient;
using System.Text.RegularExpressions;
using System.Collections;
public partial class _Default : System.Web.UI.Page
{
protected string strConn = ConfigurationSettings.AppSettings[ " strConnection " ];
protected int numErr = 5 ; // 初始化允许登陆出错的最大次数
protected void Page_Load( object sender, EventArgs e)
{
// 初始化帐号密码
// *
// InitializtionPWD();
// *
if (Session[ " numErr " ] == null ) // 初始化错误次数记录数。
{
Session[ " numErr " ] = 0 ;
}
if ( int .Parse(Session[ " numErr " ].ToString()) >= numErr)
{
btnLogin.Enabled = false ;
}
}
protected void btnLogin_Click( object sender, ImageClickEventArgs e)
{
if ( int .Parse(Session[ " numErr " ].ToString()) < 5 )
{
string adminName = boxUserName.Text;
// 替换特殊字符',增添记录
if ( ! CheckParams(adminName))
{
adminName = adminName.Replace( " ' " , " '' " );
// adminName = adminName.Replace("=",""="");
string Insert = " Insert INTO OA_BadIP(BadIP,BadString,CreatedTime) values(' " + Request.UserHostAddress + " ','危险用户名[ " + adminName + " ]尝试登陆!',' " + DateTime.Now + " ') " ;
SqlConnection myConn2 = new SqlConnection(strConn);
SqlCommand myCommand2 = new SqlCommand(Insert, myConn2);
myConn2.Open();
myCommand2.ExecuteNonQuery();
myCommand2.Dispose();
myConn2.Close();
GoError( " 请不要尝试破坏此系统!/n你的计算机 " + Request.UserHostAddress + " 已经被记录! " );
}
// 建立数据库联接,验证用户!
string password = FormsAuthentication.HashPasswordForStoringInConfigFile(boxPassword.Text, " SHA1 " );
string mySql = " Select AdminPWD,AdminGroup,ColleageID From OA_Admin Where AdminName=' " + adminName + " ' " ;
SqlConnection myConn = new SqlConnection(strConn);
SqlCommand myCommand = new SqlCommand(mySql, myConn);
myConn.Open();
SqlDataReader myReader;
myReader = myCommand.ExecuteReader();
if (myReader.Read())
{
if (password == myReader[ " AdminPWD " ].ToString())
{
Session[ " AdminName " ] = boxUserName.Text;
Session[ " AdminGroup " ] = myReader[ " AdminGroup " ].ToString();
Session[ " ColleageID " ] = myReader[ " ColleageID " ].ToString();
myReader.Close();
myConn.Close();
Response.Redirect( " mail.aspx " );
}
else
{
Session[ " numErr " ] = int .Parse(Session[ " numErr " ].ToString()) + 1 ;
Alert.Visible = true ;
Alert.Text = " 密码错误!你还有 " + (numErr - int .Parse(Session[ " numErr " ].ToString()) + 1 ) + " 次重试机会! " ;
myReader.Close();
myConn.Close();
}
}
else
{
Session[ " numErr " ] = int .Parse(Session[ " numErr " ].ToString()) + 1 ;
Alert.Visible = true ;
Alert.Text = " 用户名不存在!你还有 " + (numErr - int .Parse(Session[ " numErr " ].ToString()) + 1 ) + " 次重试机会! " ;
myReader.Close();
myConn.Close();
}
}
else
{
Alert.Visible = true ;
Alert.Text = " 错误记录达到最高上限,您在20分钟内无法登陆! " ;
// btnLogin.Enabled = false;
}
}
// =====================================
// 下面的这段程序是初始化总管理员密码。
// ======================================
private void InitializtionPWD()
{
// 下面的这段程序是初始化管理员信息
// 帐号:admin
// 密码:admin
SqlConnection myConn = new SqlConnection(strConn);
myConn.Open();
string hashed = FormsAuthentication.HashPasswordForStoringInConfigFile( " admin " , " SHA1 " );
string strInsert = " INSERT INTO OA_Admin(AdminName,AdminPWD,CreatedTime) Values('admin',' " + hashed + " ',' " + DateTime.Now + " ') " ;
SqlCommand insert = new SqlCommand(strInsert, myConn);
insert.ExecuteNonQuery();
insert.Dispose();
myConn.Close();
}
// ==============
// 错误提示!
// ==============
private void GoError( string strError)
{
Response.Write( " <script language=javascript>alert(' " + strError + " /n/n系统将自动返回前一页面');history.back();</script> " );
}
// ===============================
// 过滤指定的字符,防止Sql注入。
// =================================
bool CheckParams( params object [] args)
{
string [] Lawlesses = { " = " , " ' " };
if (Lawlesses == null || Lawlesses.Length <= 0 ) return true ;
// 构造正则表达式,例:Lawlesses是=号和'号,则正则表达式为 .*[=}'].* (正则表达式相关内容请见MSDN)
// 另外,由于我是想做通用而且容易修改的函数,所以多了一步由字符数组到正则表达式,实际使用中,直接写正则表达式亦可;
string str_Regex = " .*[ " ;
for ( int i = 0 ; i < Lawlesses.Length - 1 ; i ++ )
str_Regex += Lawlesses[i] + " | " ;
str_Regex += Lawlesses[Lawlesses.Length - 1 ] + " ].* " ;
//
foreach ( object arg in args)
{
if (arg is string ) // 如果是字符串,直接检查
{
if (Regex.Matches(arg.ToString(), str_Regex).Count > 0 )
return false ;
}
else if (arg is ICollection) // 如果是一个集合,则检查集合内元素是否字符串,是字符串,就进行检查
{
foreach ( object obj in (ICollection)arg)
{
if (obj is string )
{
if (Regex.Matches(obj.ToString(), str_Regex).Count > 0 )
return false ;
}
}
}
}
return true ;
}
}
using System.Data;
using System.Configuration;
using System.Collections;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Data.SqlClient;
using System.Text.RegularExpressions;
using System.Collections;
public partial class _Default : System.Web.UI.Page
{
protected string strConn = ConfigurationSettings.AppSettings[ " strConnection " ];
protected int numErr = 5 ; // 初始化允许登陆出错的最大次数
protected void Page_Load( object sender, EventArgs e)
{
// 初始化帐号密码
// *
// InitializtionPWD();
// *
if (Session[ " numErr " ] == null ) // 初始化错误次数记录数。
{
Session[ " numErr " ] = 0 ;
}
if ( int .Parse(Session[ " numErr " ].ToString()) >= numErr)
{
btnLogin.Enabled = false ;
}
}
protected void btnLogin_Click( object sender, ImageClickEventArgs e)
{
if ( int .Parse(Session[ " numErr " ].ToString()) < 5 )
{
string adminName = boxUserName.Text;
// 替换特殊字符',增添记录
if ( ! CheckParams(adminName))
{
adminName = adminName.Replace( " ' " , " '' " );
// adminName = adminName.Replace("=",""="");
string Insert = " Insert INTO OA_BadIP(BadIP,BadString,CreatedTime) values(' " + Request.UserHostAddress + " ','危险用户名[ " + adminName + " ]尝试登陆!',' " + DateTime.Now + " ') " ;
SqlConnection myConn2 = new SqlConnection(strConn);
SqlCommand myCommand2 = new SqlCommand(Insert, myConn2);
myConn2.Open();
myCommand2.ExecuteNonQuery();
myCommand2.Dispose();
myConn2.Close();
GoError( " 请不要尝试破坏此系统!/n你的计算机 " + Request.UserHostAddress + " 已经被记录! " );
}
// 建立数据库联接,验证用户!
string password = FormsAuthentication.HashPasswordForStoringInConfigFile(boxPassword.Text, " SHA1 " );
string mySql = " Select AdminPWD,AdminGroup,ColleageID From OA_Admin Where AdminName=' " + adminName + " ' " ;
SqlConnection myConn = new SqlConnection(strConn);
SqlCommand myCommand = new SqlCommand(mySql, myConn);
myConn.Open();
SqlDataReader myReader;
myReader = myCommand.ExecuteReader();
if (myReader.Read())
{
if (password == myReader[ " AdminPWD " ].ToString())
{
Session[ " AdminName " ] = boxUserName.Text;
Session[ " AdminGroup " ] = myReader[ " AdminGroup " ].ToString();
Session[ " ColleageID " ] = myReader[ " ColleageID " ].ToString();
myReader.Close();
myConn.Close();
Response.Redirect( " mail.aspx " );
}
else
{
Session[ " numErr " ] = int .Parse(Session[ " numErr " ].ToString()) + 1 ;
Alert.Visible = true ;
Alert.Text = " 密码错误!你还有 " + (numErr - int .Parse(Session[ " numErr " ].ToString()) + 1 ) + " 次重试机会! " ;
myReader.Close();
myConn.Close();
}
}
else
{
Session[ " numErr " ] = int .Parse(Session[ " numErr " ].ToString()) + 1 ;
Alert.Visible = true ;
Alert.Text = " 用户名不存在!你还有 " + (numErr - int .Parse(Session[ " numErr " ].ToString()) + 1 ) + " 次重试机会! " ;
myReader.Close();
myConn.Close();
}
}
else
{
Alert.Visible = true ;
Alert.Text = " 错误记录达到最高上限,您在20分钟内无法登陆! " ;
// btnLogin.Enabled = false;
}
}
// =====================================
// 下面的这段程序是初始化总管理员密码。
// ======================================
private void InitializtionPWD()
{
// 下面的这段程序是初始化管理员信息
// 帐号:admin
// 密码:admin
SqlConnection myConn = new SqlConnection(strConn);
myConn.Open();
string hashed = FormsAuthentication.HashPasswordForStoringInConfigFile( " admin " , " SHA1 " );
string strInsert = " INSERT INTO OA_Admin(AdminName,AdminPWD,CreatedTime) Values('admin',' " + hashed + " ',' " + DateTime.Now + " ') " ;
SqlCommand insert = new SqlCommand(strInsert, myConn);
insert.ExecuteNonQuery();
insert.Dispose();
myConn.Close();
}
// ==============
// 错误提示!
// ==============
private void GoError( string strError)
{
Response.Write( " <script language=javascript>alert(' " + strError + " /n/n系统将自动返回前一页面');history.back();</script> " );
}
// ===============================
// 过滤指定的字符,防止Sql注入。
// =================================
bool CheckParams( params object [] args)
{
string [] Lawlesses = { " = " , " ' " };
if (Lawlesses == null || Lawlesses.Length <= 0 ) return true ;
// 构造正则表达式,例:Lawlesses是=号和'号,则正则表达式为 .*[=}'].* (正则表达式相关内容请见MSDN)
// 另外,由于我是想做通用而且容易修改的函数,所以多了一步由字符数组到正则表达式,实际使用中,直接写正则表达式亦可;
string str_Regex = " .*[ " ;
for ( int i = 0 ; i < Lawlesses.Length - 1 ; i ++ )
str_Regex += Lawlesses[i] + " | " ;
str_Regex += Lawlesses[Lawlesses.Length - 1 ] + " ].* " ;
//
foreach ( object arg in args)
{
if (arg is string ) // 如果是字符串,直接检查
{
if (Regex.Matches(arg.ToString(), str_Regex).Count > 0 )
return false ;
}
else if (arg is ICollection) // 如果是一个集合,则检查集合内元素是否字符串,是字符串,就进行检查
{
foreach ( object obj in (ICollection)arg)
{
if (obj is string )
{
if (Regex.Matches(obj.ToString(), str_Regex).Count > 0 )
return false ;
}
}
}
}
return true ;
}
}