也想飞翔

笑看天边云卷云舒
  博客园  :: 首页  :: 新随笔  :: 联系 :: 订阅 订阅  :: 管理
<%@ Page Language="C#" AutoEventWireup="true"  CodeFile="Default.aspx.cs" Inherits="_Default" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    
<title>无标题页</title>
    
<style type="text/css">
<!--
#loginbk
{
    width: 640px;
    height: 300px;
    background
-image: url(images/OA_logo.jpg);
    position: relative;
    top: 100px;
}

#login
{
    margin
-top: 205px;
    font
-size: 12px;
    margin
-left: 20px;
}

.boxInput
{
    font
-size: 12px;
    border
-bottom: black 1px solid;
    border
-top-style: none;
    border
-right-style: none;
    border
-left-style: none;
    background
-color: transparent;
}

#copyright
{
    font
-size: 12px;
    color: black;
}

#alignbk
{
    vertical
-align: middle;
    text
-align: center;
}

#Validators
{
    font
-size: 12px;
    vertical
-align: middle;
    text
-align: center;
}

-->
</style>
</head>
<body>
    
<form id="form1" runat="server">
    
<div id="Validators">
    
<asp:RequiredFieldValidator ID="RequiredFieldValidator1" runat="server" ErrorMessage="密码不能为空!" ControlToValidate="boxPassword"></asp:RequiredFieldValidator>
    
<asp:Label ID="Alert" runat="server" Text="警告:" Visible="False"></asp:Label>
    
</div>

    
<div id="alignbk">
        
&nbsp;<div id="loginbk">
            
<div id="login" >           
               
<table style="width: 550px">
                   
<tr>
                       
<td style="width: 16px">
                           
<img src="images/AdminUser.gif" /></td>
                       
<td style="width: 205px">
                           帐号:
<asp:TextBox ID="boxUserName" runat="server" CssClass="boxInput"></asp:TextBox></td>
                       
<td style="width: 12px">
                           
<img src="images/AdminPWD.gif" /></td>
                       
<td style="width: 208px">
                           密码:
<asp:TextBox ID="boxPassword" runat="server" CssClass="boxInput" TextMode="Password"></asp:TextBox></td>
                       
<td style="width: 100px">
                           
<asp:ImageButton ID="btnLogin" runat="server" ImageUrl="~/images/AdminLogin.gif" OnClick="btnLogin_Click" /></td>
                   
</tr>
               
</table>           
            
</div>
            
<div id="copyright">
                主办:  
&nbsp;&nbsp;&nbsp;&nbsp; Copyright &copy; 2006 <a href="http://single.dlut.edu.cn">
                    Single
</a> All Rights
                Reserved.
</div>
                
       
</div>
 

    
</div> 
    
</form>
</body>
</html>
using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Data.SqlClient;
using System.Text.RegularExpressions;
using System.Collections;

public partial class _Default : System.Web.UI.Page 
{
    
protected string strConn = ConfigurationSettings.AppSettings["strConnection"];
    
    
protected int numErr = 5//初始化允许登陆出错的最大次数

    
protected void Page_Load(object sender, EventArgs e)
    
{
        
//初始化帐号密码
        
//*
        
// InitializtionPWD();
        
//*

        
if (Session["numErr"== null )   //初始化错误次数记录数。
        {
            Session[
"numErr"= 0;
        }



        
if (int.Parse(Session["numErr"].ToString()) >= numErr)
        
{
            btnLogin.Enabled 
= false;
        }



    }


    
protected void btnLogin_Click(object sender, ImageClickEventArgs e)
    
{

        
if (int.Parse(Session["numErr"].ToString()) < 5)
        
{

            
string adminName = boxUserName.Text;

            
            
//替换特殊字符',增添记录
            if (!CheckParams(adminName))
            
{
                adminName 
= adminName.Replace("\'","\'\'");
               
// adminName = adminName.Replace("=","\"=\"");
                string Insert = "Insert INTO OA_BadIP(BadIP,BadString,CreatedTime) values('" + Request.UserHostAddress + "','危险用户名[" + adminName + "]尝试登陆!','" + DateTime.Now + "')";
                
                SqlConnection myConn2 
= new SqlConnection(strConn);
                SqlCommand myCommand2 
= new SqlCommand(Insert, myConn2);
                myConn2.Open();
                myCommand2.ExecuteNonQuery();
               
                myCommand2.Dispose();
                myConn2.Close();

                GoError(
"请不要尝试破坏此系统!\\n你的计算机" + Request.UserHostAddress + "已经被记录!");
            }


            
//建立数据库联接,验证用户!
            string password = FormsAuthentication.HashPasswordForStoringInConfigFile(boxPassword.Text, "SHA1");

            
string mySql = "Select AdminPWD,AdminGroup,ColleageID From OA_Admin Where AdminName='" + adminName + "'";


            SqlConnection myConn 
= new SqlConnection(strConn);
            SqlCommand myCommand 
= new SqlCommand(mySql, myConn);
            myConn.Open();
            SqlDataReader myReader;
            myReader 
= myCommand.ExecuteReader();
            
if (myReader.Read())
            
{
                
if (password == myReader["AdminPWD"].ToString())
                
{
                    Session[
"AdminName"= boxUserName.Text;
                    Session[
"AdminGroup"= myReader["AdminGroup"].ToString();
                    Session[
"ColleageID"= myReader["ColleageID"].ToString();
                    myReader.Close();
                    myConn.Close();
                    Response.Redirect(
"mail.aspx");


                }

                
else
                
{

                    Session[
"numErr"= int.Parse(Session["numErr"].ToString()) + 1;
                    Alert.Visible 
= true;
                    Alert.Text 
= "密码错误!你还有" + (numErr - int.Parse(Session["numErr"].ToString())+1+ "次重试机会!";
                    myReader.Close();
                    myConn.Close();
                }

            }

            
else
            
{
                Session[
"numErr"= int.Parse(Session["numErr"].ToString()) + 1;
                Alert.Visible 
= true;
                Alert.Text 
= "用户名不存在!你还有" + (numErr - int.Parse(Session["numErr"].ToString())+1+ "次重试机会!";

                myReader.Close();
                myConn.Close();
            }


        }

        
else
        
{
            Alert.Visible 
= true;
            Alert.Text 
= "错误记录达到最高上限,您在20分钟内无法登陆!";
            
//btnLogin.Enabled = false;
        }


    }





    
//=====================================
    
//下面的这段程序是初始化总管理员密码。
    
//======================================
    private void InitializtionPWD()
    
{
        
//下面的这段程序是初始化管理员信息
        
//帐号:admin   
        
//密码:admin 

        SqlConnection myConn 
= new SqlConnection(strConn);
        myConn.Open();
        
string hashed = FormsAuthentication.HashPasswordForStoringInConfigFile("admin""SHA1");
        
string strInsert = "INSERT INTO OA_Admin(AdminName,AdminPWD,CreatedTime) Values('admin','" + hashed + "','" + DateTime.Now + "')";
        SqlCommand insert 
= new SqlCommand(strInsert, myConn);
        insert.ExecuteNonQuery();
        insert.Dispose();
        myConn.Close();

    }



    
//==============
    
// 错误提示!
    
//==============
    private void GoError(string strError)
    
{
        Response.Write(
"<script language=javascript>alert('" + strError + "\\n\\n系统将自动返回前一页面');history.back();</script>");

    }



    
//===============================
    
//过滤指定的字符,防止Sql注入。
    
//=================================

    
bool CheckParams(params object[] args)
    
{
        
string[] Lawlesses ="=""'" };
        
if (Lawlesses == null || Lawlesses.Length <= 0return true;
        
//构造正则表达式,例:Lawlesses是=号和'号,则正则表达式为 .*[=}'].*  (正则表达式相关内容请见MSDN)
        
//另外,由于我是想做通用而且容易修改的函数,所以多了一步由字符数组到正则表达式,实际使用中,直接写正则表达式亦可;
        string str_Regex = ".*[";
        
for (int i = 0; i < Lawlesses.Length - 1; i++)
            str_Regex 
+= Lawlesses[i] + "|";
        str_Regex 
+= Lawlesses[Lawlesses.Length - 1+ "].*";
        
//
        foreach (object arg in args)
        
{
            
if (arg is string)//如果是字符串,直接检查
            {
                
if (Regex.Matches(arg.ToString(), str_Regex).Count > 0)
                    
return false;
            }

            
else if (arg is ICollection)//如果是一个集合,则检查集合内元素是否字符串,是字符串,就进行检查
            {
                
foreach (object obj in (ICollection)arg)
                
{
                    
if (obj is string)
                    
{
                        
if (Regex.Matches(obj.ToString(), str_Regex).Count > 0)
                            
return false;
                    }

                }

            }

        }

        
return true;
    }

}