与数据库价值进行比较

Question

What I am trying to do is grab the current logged in users username and compare that against a database which contains users, and also includes an Active flag and an Admin flag. I want to compare the current logged in user in the tbl_Person table and their respective user in the table to see if they are marked as Active and Admin. If both are true, they get access to an Admin page. I have the below so far which isn't working. Some of which I know why, some I don't. I think I am on the right track, that being said I am sure I am not doing it correctly. I know you use ExecuteScalar() to return something along with OUTPUT in the query string but couldn't get that to work. The other glaring issue is that I am trying to return integers when the username is a string and the active and admin flags are Bools. I know that I only have Active in there are the moment. I was trying to get that to work before adding in something else.

I read that with the ExecuteScalar, you could Parse and convert ToString, but that didn't work and I found evidence that this might not be the correct thing to do, but I'm really not sure.

I have got a few different errors. Type errors, invalid column when I've tried to do the OUTPUT. With OUTPUT I tried as just OUTPUT and because I know when returning after inserting, you do inserted.name. I tried selected.name as a hunch, but that didn't work.

I was thinking that if I pulled the info, concatenated them and then did a comparison, that this would do what I want, but I am open to other suggestions. Thanks.

string userName = System.Security.Principal.WindowsIdentity.GetCurrent().Name;

SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["HSEProjRegConnectionString1"].ConnectionString);
conn.Open();
SqlCommand sqlUserName = new SqlCommand("SELECT [username] FROM [tbl_Person]", conn);
SqlCommand sqlActive = new SqlCommand("SELECT [active] FROM [tbl_Person]", conn);
int result1 = ((int)sqlUserName.ExecuteScalar());
int result2 = ((int)sqlActive.ExecuteScalar());

string userInfo = result1 + "." +result2;
string userName = userName + "." +result2;

if (userInfo == userName)
{
    Woo, you have access.
}
else
{
    Sorry, but no.
}

The Query isn't final either. Once it is working, I'll change it to a parameterised query.

Answer 1

Okay, consider the following code:

string userName = System.Security.Principal.WindowsIdentity.GetCurrent().Name;

using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["HSEProjRegConnectionString1"].ConnectionString))
{
    conn.Open();
    using (SqlCommand cmd = new SqlCommand("SELECT [active] FROM [tbl_Person] WHERE username = @username", conn))
    {
        // since we can literally filter the results, if something comes back
        // we know they are registered
        cmd.Parameters.AddWithValue("@username", userName);

        var res = cmd.ExecuteScalar();
        bool registeredAndActive = (bool)res;

        // unless of course `[active]` is an INT -then do this
        bool registeredAndActive = (int)res == 1 ? true : false;

        // but really -set [active] up as a BIT if it's not **and**
        // please make it non-nullable :D
    }
}

I'm pretty sure it does what you want. But it also shows you some best practices like:

1. Leverage the using statement for all IDisposable objects.
2. Filter the query as much as you can and make only one round trip.