sql防注入

CallCenterApi/CallCenterApi.Interface/CallCenterApi.Interface/App_Start/FilterConfig.cs

@@ -7,7 +7,7 @@ namespace CallCenterApi.Interface
     {
         public static void RegisterGlobalFilters(GlobalFilterCollection filters)
         {
-            filters.Add(new SqlErrorAttribute());
+           // filters.Add(new SqlErrorAttribute());
             filters.Add(new ErrorAttribute());
         }
     }

CallCenterApi/CallCenterApi.Interface/CallCenterApi.Interface/App_Start/SqlErrorAttribute.cs

@@ -190,150 +190,13 @@ namespace CallCenterApi.Interface.App_Start
             //1:检测用户是否禁用
             var u = new BLL.T_Sys_UserAccount().GetModel(userId);
             //1-禁用 0-启用
-            if (u.F_DeleteFlag == 1)
+            if (u ==null )
             {
                 a = 1;
             }
-            else
+           else  if (u.F_DeleteFlag == 1)
             {
-                //2：检测当前操作页面是否具有权限
-                //当前登陆页面路径
-                string url = RequestString.GetUrlReferrer().ToString();
-                string url1 = RequestString.GetUrl();
-                string url2 = RequestString.GetCurrentFullHost();
-                string url3 = RequestString.GetRawUrl();
-                string url4 = RequestString.GetFilename(url);
-
-
-                //添加额外页面权限
-                if (url4 == "Editor.html" || url4 == "WorkOrderDetail.html" || url4 == "PrintPreview.html" || url4 == "PrintPreview.html" || url4 == "WorkOrderEdit.html")
-                {
-
-                    a = 0;
-                }
-                else
-                {
-
-
-                    //接口操作方法
-                    string url5 = "";
-                    if (url3 == null || url3 == "")
-                    {
-                        url5 = "";
-                    }
-                    else
-                    {
-                        int temp = url3.IndexOf("?");
-                        if (temp > 0)
-                        {
-                            url5 = url3.Substring(0, temp);
-                        }
-                        else
-                        {
-                            url5 = url3;
-                        }
-
-                    }
-                    if (url5 == "/UserAccount/GetList")
-                    {
-                        int qqq = 0;
-                    }
-
-                    // GetFilename
-
-                    //GetCurrentFullHost
-                    //GetRawUrl
-
-                    //首页 widgets.html
-                    //登陆页  过滤掉  index.html
-                    if (url4 != "widgets.html" && url4 != "index.html")
-                    {
-
-                        //根据当前登陆页 判断 导航id 之后只查找此导航内的接口权限
-                        //字符串.Replace（源子串，替换为）;
-                        //string url6 = url.Replace(url2, "");
-                        int functionid = 0;
-                        if (url4.Length > 0 && url4 != "PrintPreview.html")
-                        {
-                            functionid = PageFuoction(url4);
-                        }
-
-
-
-                        StringBuilder strSql = new StringBuilder();
-                        strSql.Append(@"  select   f.F_OptUrl,f.F_FunctionId
-   from dbo.T_Sys_RoleFunction rf 
-   left join T_Sys_Function  f on   rf.F_FunctionId=f.F_FunctionId 
-     ");
-                        strSql.Append(" where    F_RoleId= " + roleId);
-                        if (functionid > 0)
-                        {
-                            strSql.Append(" and f.F_FunctionId=" + functionid);
-                        }
-                        else if (url4 == "PrintPreview.html")
-                        {
-                            strSql.Append(@" and f.F_FunctionId in (select F_FunctionId from dbo.T_Sys_Function 
-      where  F_OptUrl like '%" + url4 + "%')");
-                        }
-                        strSql.Append("  group by f.F_OptUrl ,f.F_FunctionId");
-
-                        var ds = DbHelperSQL.Query(strSql.ToString());
-                        DataTable dt = new DataTable();
-                        dt = ds.Tables[0];
-                        //行
-                        for (int i = 0; i < dt.Rows.Count; i++)
-                        {
-                            //列
-                            for (int j = 0; j < dt.Columns.Count; j++)
-                            {
-                                //用户所具有权限的页面
-                                string f1 = dt.Rows[i][0].ToString();
-                                string f2 = RequestString.GetFilename(f1);
-                                int f12 = Convert.ToInt32(dt.Rows[i][1].ToString() == "" ? "0" : dt.Rows[i][1].ToString());
-                                if (f2 == url4)
-                                {
-                                    b++;
-                                    break;
-                                }
-                                int tqw = getItemBYUrl(url5, Convert.ToInt32(roleId));
-                                if (tqw == 0)
-                                {
-                                    throw new Exception("操作失败，无权限");
-                                }
-                                //if (f12>0) {
-                                //    if (f12==19) {
-                                //        int qw1 = 1;
-                                //    }
-                                //   int qw= getItemUrl(f12, url5,Convert.ToInt32( roleId));
-                                //    if (qw == 0)
-                                //    {
-                                //        throw new Exception("操作失败，无权限");
-                                //    }
-
-
-                                //}
-
-                                //当前用户登陆的页面url
-
-
-                            }
-                        }
-                    }
-                    else
-                    {
-                        b = 1;
-                    }
-                    //此页面有权限
-                    if (b > 0)
-                    {
-                        a = 0;
-                    }
-                    if (b == 0)
-                    {
-                        a = 1;
-                    }
-
-                }
+                a = 1;
             }
             #region MyRegion
             // return ds;

CallCenterApi/CallCenterApi.Interface/CallCenterApi.Interface/Controllers/workorder/WorkOrderController.cs

@@ -15,7 +15,7 @@ using System.Web.Mvc;
 
 namespace CallCenterApi.Interface.Controllers.workorder
 {
-    [SqlError]
+  //  [SqlError]
     public class WorkOrderController : BaseController
     {
         // GET: WorkOrder
@@ -2261,8 +2261,9 @@ namespace CallCenterApi.Interface.Controllers.workorder
             }
             else
             {
-                sql += " and (F_WorkState in (2,4,8)" + sqlwhere   + "or  (( isnull(F_DealTime,'')<>'' and F_LimitTime<F_DealTime) or ( isnull(F_DealTime,'')='' and F_LimitTime<F_CloseTime) ) " + sqlwhere1+ "and F_WorkState =9)";
-
+                sql += " and F_WorkState in (2,4,8) ";
+                sql += " and (F_WorkState in (2,4,8)" + sqlwhere   + "or  (( isnull(F_DealTime,'')<>'' and F_LimitTime<F_DealTime) or ( isnull(F_DealTime,'')='' and F_LimitTime<F_CloseTime) ) " + sqlwhere1+ ")";
+               
             }
             if (strworkid.Trim() != "" && strworkid != "undefined")
             {