Пример #1
0
        public ActionResult Completion(UserInfoCompletionViewModel p)
        {
            if (ModelState.IsValid)
            {
                if (!p.EmailOrPhone.Equals(Session["userid"]))
                {
                    //hacker attack
                }

                SqlParameter emailParameter = new SqlParameter("FDEmailOrPhone", SqlDbType.VarChar, Common.Const.EmailOrPhoneLength);
                emailParameter.Value = p.EmailOrPhone;

                SqlParameter passwordParameter = new SqlParameter("FDPassword", SqlDbType.VarChar, Common.Const.PasswordLength_Max);
                passwordParameter.Value = p.Password;

                SqlParameter nicknameParameter = new SqlParameter("FDNickname", SqlDbType.NVarChar, Common.Const.NicknameLength_Max);
                nicknameParameter.Value = p.Nickname;

                int res = db.Database.ExecuteSqlCommand("update TBUsers set FDNickname = @FDNickname , FDPassword = HASHBYTES('SHA2_256',@FDPassword) ,FDUpdateTimestamp = SYSDATETIME() where FDEmailOrPhone = @FDEmailOrPhone", emailParameter, passwordParameter, nicknameParameter);
                if (res == 1)
                {
                    Session.Add("nickname", p.Nickname);
                }
                else
                {
                    //update database with 0 row affected , something get wrong
                }
                return(Redirect("../"));
            }
            return(View(p));
        }
Пример #2
0
        public ActionResult Validate(UserRegistrationCodeVerificationViewModel validateForm)
        {
            if (ModelState.IsValid)
            {
                if (!validateForm.EmailOrPhone.Equals(Session["userid"]))
                {
                    //hacker attack
                }

                SqlParameter emailParameter = new SqlParameter("FDEmailOrPhone", SqlDbType.VarChar, Common.Const.EmailOrPhoneLength);
                emailParameter.Value = validateForm.EmailOrPhone;

                SqlParameter passwordParameter = new SqlParameter("FDPassword", SqlDbType.VarChar, Common.Const.VerificationCodeLength);
                passwordParameter.Value = validateForm.VerificationCode;

                //int count = db.Database.ExecuteSqlCommand("select count(*) from TBUsers");
                TBUser user = db.Database.SqlQuery <TBUser>("select * from TBUsers where FDEmailOrPhone = @FDEmailOrPhone and FDPassword = HASHBYTES('SHA2_256',@FDPassword)", emailParameter, passwordParameter).FirstOrDefault();

                if (user == null)
                {
                    //Verification Code Error
                    ModelState.AddModelError("VerificationCode", "Verification Code is wrong ");
                }
                else
                {
                    if (user.FDNickname.StartsWith(" "))
                    {
                        UserInfoCompletionViewModel p = new UserInfoCompletionViewModel();
                        p.EmailOrPhone = validateForm.EmailOrPhone;
                        return(View("Completion", p));
                    }
                    else
                    {
                        //hacker attack or wrong user request
                        return(Redirect("../"));
                    }
                }
            }
            return(View("RegistrationCodeVerification", validateForm));
        }