Login script check

I have written a script that sits on the admin portion on my website.

Here I assume the user is valid as I have code that checks that already.

The below code is checks if the user is Admin. If they are Admin they will be flagged with a "Y" on the database (this will be a "1" for optimization later but for sanity's sake with testing Y was easier).

App Code:

Public Function IsUserAdmin(ByVal iUserID As Long) As Boolean

        Dim sConnString As String = System.Web.Configuration.WebConfigurationManager.ConnectionStrings("mySQL").ConnectionString
        Dim dsNames As SqlDataSource
        Dim bReturn As Boolean = False

        dsNames = New SqlDataSource

        dsNames.ConnectionString = sConnString
        Dim sSQL As String
        sSQL = "SELECT IsAdmin FROM [SystemUsers] WHERE ID=@UserID"
        dsNames.SelectCommand = sSQL
        dsNames.SelectParameters.Clear()
        dsNames.SelectParameters.Add("UserID", iUserID)

        For Each datarow As Data.DataRowView In dsNames.Select(DataSourceSelectArguments.Empty) ‘ do I need a loop?
            If datarow("IsAdmin").ToString().ToUpper = "Y" Then
                bReturn = True
             End If
        Next
        Return bReturn

dsNames.dispose

    End Function

.Net Code

‘Assuming basic login was okay we have a UserObject/UserID

Dim vAdmin as string 
vAdmin = IsUserAdmin(Session("UserObject"))
        If vAdmin = True Then
            'Valid User
        Else
            Response.Redirect("../Default.aspx")
        End If

I see you're not using the role manager built into .NET (together with a built-in membership provider). If you were, then this could be codeless and configured in the Web.config.

For example, the Web.config of my Logs directory (which contains log files) look like this:















Second, ideally you should call the Dispose method of your SqlDataSource when you finish using it.

StackExchange Code Review Q#41946, answer score: 4