<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" %><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" ><head runat="server"> <title>无标题页</title> <style type="text/css"><!--#loginbk
{
640px; height: 300px; background-image: url(images/OA_logo.jpg); position: relative; top: 100px;
}#login{ margin-top: 205px; font-size: 12px; margin-left: 20px;}.boxInput{ font-size: 12px; border-bottom: black 1px solid; border-top-style: none; border-right-style: none; border-left-style: none; background-color: transparent;}#copyright{ font-size: 12px; color: black;}#alignbk{ vertical-align: middle; text-align: center;}#Validators{ font-size: 12px; vertical-align: middle; text-align: center;}--></style></head><body> <form id="form1" runat="server"> <div id="Validators"> <asp:RequiredFieldValidator ID="RequiredFieldValidator1" runat="server" ErrorMessage="密码不能为空!" ControlToValidate="boxPassword"></asp:RequiredFieldValidator> <asp:Label ID="Alert" runat="server" Text="警告:" Visible="False"></asp:Label> </div> <div id="alignbk"> <div id="loginbk"> <div id="login" > <table style=" 550px"> <tr> <td style=" 16px"> <img src="images/AdminUser.gif" /></td> <td style=" 205px"> 帐号:<asp:TextBox ID="boxUserName" runat="server" CssClass="boxInput"></asp:TextBox></td> <td style=" 12px"> <img src="images/AdminPWD.gif" /></td> <td style=" 208px"> 密码:<asp:TextBox ID="boxPassword" runat="server" CssClass="boxInput" TextMode="Password"></asp:TextBox></td> <td style=" 100px"> <asp:ImageButton ID="btnLogin" runat="server" ImageUrl="~/images/AdminLogin.gif" OnClick="btnLogin_Click" /></td> </tr> </table> </div> <div id="copyright"> 主办: Copyright © 2006 <a href="http://single.dlut.edu.cn"> Single</a> All Rights Reserved.</div> </div> </div> </form></body></html>using System;using System.Data;using System.Configuration;using System.Web;using System.Web.Security;using System.Web.UI;using System.Web.UI.WebControls;using System.Web.UI.WebControls.WebParts;using System.Web.UI.HtmlControls;using System.Data.SqlClient;using System.Text.RegularExpressions;using System.Collections;public partial class _Default : System.Web.UI.Page { protected string strConn = ConfigurationSettings.AppSettings["strConnection"]; protected int numErr = 5; //初始化允许登陆出错的最大次数 protected void Page_Load(object sender, EventArgs e)
{
//初始化帐号密码 //* // InitializtionPWD(); //* if (Session["numErr"] == null ) //初始化错误次数记录数。 { Session["numErr"] = 0;
} if (int.Parse(Session["numErr"].ToString()) >= numErr) { btnLogin.Enabled = false; } } protected void btnLogin_Click(object sender, ImageClickEventArgs e) { if (int.Parse(Session["numErr"].ToString()) < 5) { string adminName = boxUserName.Text; //替换特殊字符',增添记录 if (!CheckParams(adminName)) { adminName = adminName.Replace("\'","\'\'"); // adminName = adminName.Replace("=","\"=\""); string Insert = "Insert INTO OA_BadIP(BadIP,BadString,CreatedTime) values('" + Request.UserHostAddress + "','危险用户名[" + adminName + "]尝试登陆!','" + DateTime.Now + "')"; SqlConnection myConn2 = new SqlConnection(strConn); SqlCommand myCommand2 = new SqlCommand(Insert, myConn2); myConn2.Open(); myCommand2.ExecuteNonQuery(); myCommand2.Dispose(); myConn2.Close(); GoError("请不要尝试破坏此系统!\\n你的计算机" + Request.UserHostAddress + "已经被记录!"); } //建立数据库联接,验证用户! string password = FormsAuthentication.HashPasswordForStoringInConfigFile(boxPassword.Text, "SHA1"); string mySql = "Select AdminPWD,AdminGroup,ColleageID From OA_Admin Where AdminName='" + adminName + "'"; SqlConnection myConn = new SqlConnection(strConn); SqlCommand myCommand = new SqlCommand(mySql, myConn); myConn.Open(); SqlDataReader myReader; myReader = myCommand.ExecuteReader(); if (myReader.Read()) { if (password == myReader["AdminPWD"].ToString()) { Session["AdminName"] = boxUserName.Text; Session["AdminGroup"] = myReader["AdminGroup"].ToString(); Session["ColleageID"] = myReader["ColleageID"].ToString(); myReader.Close(); myConn.Close(); Response.Redirect("mail.aspx"); } else { Session["numErr"] = int.Parse(Session["numErr"].ToString()) + 1; Alert.Visible = true; Alert.Text = "密码错误!你还有" + (numErr - int.Parse(Session["numErr"].ToString())+1) + "次重试机会!"; myReader.Close(); myConn.Close(); } } else { Session["numErr"] = int.Parse(Session["numErr"].ToString()) + 1; Alert.Visible = true; Alert.Text = "用户名不存在!你还有" + (numErr - int.Parse(Session["numErr"].ToString())+1) + "次重试机会!"; myReader.Close(); myConn.Close(); } } else { Alert.Visible = true; Alert.Text = "错误记录达到最高上限,您在20分钟内无法登陆!"; //btnLogin.Enabled = false; } } //===================================== //下面的这段程序是初始化总管理员密码。 //====================================== private void InitializtionPWD() { //下面的这段程序是初始化管理员信息 //帐号:admin //密码:admin SqlConnection myConn = new SqlConnection(strConn); myConn.Open(); string hashed = FormsAuthentication.HashPasswordForStoringInConfigFile("admin", "SHA1"); string strInsert = "INSERT INTO OA_Admin(AdminName,AdminPWD,CreatedTime) Values('admin','" + hashed + "','" + DateTime.Now + "')"; SqlCommand insert = new SqlCommand(strInsert, myConn); insert.ExecuteNonQuery(); insert.Dispose(); myConn.Close(); } //============== // 错误提示! //============== private void GoError(string strError) { Response.Write("<script language=javascript>alert('" + strError + "\\n\\n系统将自动返回前一页面');history.back();</script>"); } //=============================== //过滤指定的字符,防止Sql注入。 //================================= bool CheckParams(params object[] args) { string[] Lawlesses ={ "=", "'" }; if (Lawlesses == null || Lawlesses.Length <= 0) return true; //构造正则表达式,例:Lawlesses是=号和'号,则正则表达式为 .*[=}'].* (正则表达式相关内容请见MSDN) //另外,由于我是想做通用而且容易修改的函数,所以多了一步由字符数组到正则表达式,实际使用中,直接写正则表达式亦可; string str_Regex = ".*["; for (int i = 0; i < Lawlesses.Length - 1; i++) str_Regex += Lawlesses[i] + "|"; str_Regex += Lawlesses[Lawlesses.Length - 1] + "].*"; // foreach (object arg in args) { if (arg is string)//如果是字符串,直接检查 { if (Regex.Matches(arg.ToString(), str_Regex).Count > 0) return false; } else if (arg is ICollection)//如果是一个集合,则检查集合内元素是否字符串,是字符串,就进行检查 { foreach (object obj in (ICollection)arg) { if (obj is string) { if (Regex.Matches(obj.ToString(), str_Regex).Count > 0) return false; } } } } return true; }}