4201
Reputation: 9
Why is authentification failing? C# ASP.NET
Registering page accepts usernames that are already included in database, even though I included code to prevent that:
string checkuser = "SELECT count(*) FROM Customers WHERE CustUserName='" + txtCustUserName.Text + "'";
SqlCommand com = new SqlCommand(checkuser, conn);
int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
if (temp > 0)
{
Response.Write("User already exists");
}
This is the whole code for register page:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Data;
using System.Configuration;
public partial class Registration : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
this.UnobtrusiveValidationMode = System.Web.UI.UnobtrusiveValidationMode.None;
if (IsPostBack)
{
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["RegistrationDatabaseConnectionString"].ConnectionString);
conn.Open();
string checkuser = "SELECT count(*) FROM Customers WHERE CustUserName='" + txtCustUserName.Text + "'";
SqlCommand com = new SqlCommand(checkuser, conn);
int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
if (temp > 0)
{
Response.Write("User already exists");
}
conn.Close();
}
}
protected void Button1_Click(object sender, EventArgs e)
{
try
{
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["RegistrationDatabaseConnectionString"].ConnectionString);
conn.Open();
string insertQuery = "INSERT into Customers (CustFirstName, CustLastName, CustAddress, CustCity, CustProv, CustPostal, CustCountry, CustHomePhone, CustBusPhone, CustEmail, CustUserName, CustPassword) values (@custFirstName ,@custLastName ,@custAddress ,@custCity ,@custProv ,@custPostal, @custCountry ,@custHomePhone ,@custBusPhone ,@custEmail ,@custUserName ,@custPassword)";
SqlCommand com = new SqlCommand(insertQuery, conn);
com.Parameters.AddWithValue("@custFirstName", txtCustFirstName.Text);
com.Parameters.AddWithValue("@custLastName", txtCustLastName.Text);
com.Parameters.AddWithValue("@custAddress", txtCustAddress.Text);
com.Parameters.AddWithValue("@custCity", txtCustCity.Text);
com.Parameters.AddWithValue("@custProv", txtCustProv.Text);
com.Parameters.AddWithValue("@custPostal", txtCustPostal.Text);
com.Parameters.AddWithValue("@custCountry", txtCustCountry.Text);
com.Parameters.AddWithValue("@custHomePhone", txtCustHomePhone.Text);
com.Parameters.AddWithValue("@custBusPhone", txtCustBusPhone.Text);
com.Parameters.AddWithValue("@custEmail", txtCustEmail.Text);
com.Parameters.AddWithValue("@custUsername", txtCustUserName.Text);
com.Parameters.AddWithValue("@custPassword", txtCustPassword.Text);
com.ExecuteNonQuery();
Response.Redirect("Manager.aspx");
Response.Write("Registration is successful" );
conn.Close();
}
catch(Exception ex)
{
Response.Write("Error:"+ex.ToString());
}
}
}
The login page marks all logins as "wrong username" even though the username and password are correct.
This is the code:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;
using System.Data.SqlClient;
using System.Configuration;
public partial class Login : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
this.UnobtrusiveValidationMode = System.Web.UI.UnobtrusiveValidationMode.None;
}
protected void btnLogin_Click(object sender, EventArgs e)
{
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["RegistrationDatabaseConnectionString"].ConnectionString);
conn.Open();
string checkuser = "SELECT count(*) FROM Customers WHERE CustUserName='" + txtUsername.Text + "'";
SqlCommand com = new SqlCommand(checkuser, conn);
int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
conn.Close();
if (temp > 0)
{
conn.Open();
string checkPasswordQuery= "SELECT password FROM Customers WHERE CustUserName='" + txtUsername.Text + "'";
SqlCommand passCom = new SqlCommand(checkPasswordQuery, conn);
string password = passCom.ExecuteScalar().ToString().Replace(" ","");
if(password == txtPassword.Text)
{
Session["New"] = txtUsername.Text;
Response.Write("Password is correct");
Response.Redirect("Manager.aspx");
}
else
{
Response.Write("Password is not correct");
}
}
else
{
Response.Write("Username is not correct");
}
}
}
Thank you.
Upvotes: 0
Views: 75
Answers (2)
Dr. Stitch
Reputation: 918
Please try this.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Data;
using System.Configuration;
public partial class Registration : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
this.UnobtrusiveValidationMode = System.Web.UI.UnobtrusiveValidationMode.None;
if (!IsPostBack)
{
}
}
protected void Button1_Click(object sender, EventArgs e)
{
try
{
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["RegistrationDatabaseConnectionString"].ConnectionString);
conn.Open();
string checkuser = "SELECT count(*) FROM Customers WHERE CustUserName='" + txtCustUserName.Text + "'";
SqlCommand com = new SqlCommand(checkuser, conn);
int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
conn.Close();
if (temp > 0)
{
Response.Write("User already exists");
}
else
{
conn.Open();
string insertQuery = "INSERT into Customers (CustFirstName, CustLastName, CustAddress, CustCity, CustProv, CustPostal, CustCountry, CustHomePhone, CustBusPhone, CustEmail, CustUserName, CustPassword) values (@custFirstName ,@custLastName ,@custAddress ,@custCity ,@custProv ,@custPostal, @custCountry ,@custHomePhone ,@custBusPhone ,@custEmail ,@custUserName ,@custPassword)";
SqlCommand com = new SqlCommand(insertQuery, conn);
com.Parameters.AddWithValue("@custFirstName", txtCustFirstName.Text);
com.Parameters.AddWithValue("@custLastName", txtCustLastName.Text);
com.Parameters.AddWithValue("@custAddress", txtCustAddress.Text);
com.Parameters.AddWithValue("@custCity", txtCustCity.Text);
com.Parameters.AddWithValue("@custProv", txtCustProv.Text);
com.Parameters.AddWithValue("@custPostal", txtCustPostal.Text);
com.Parameters.AddWithValue("@custCountry", txtCustCountry.Text);
com.Parameters.AddWithValue("@custHomePhone", txtCustHomePhone.Text);
com.Parameters.AddWithValue("@custBusPhone", txtCustBusPhone.Text);
com.Parameters.AddWithValue("@custEmail", txtCustEmail.Text);
com.Parameters.AddWithValue("@custUsername", txtCustUserName.Text);
com.Parameters.AddWithValue("@custPassword", txtCustPassword.Text);
com.ExecuteNonQuery();
Response.Redirect("Manager.aspx");
Response.Write("Registration is successful" );
conn.Close();
}
}
catch(Exception ex)
{
Response.Write("Error:"+ex.ToString());
}
}
}
Upvotes: 0
Kit
Reputation: 21
What is the value of temp here during debugging?:
int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
If you have duplicate records in your table, the variable temp will never be 1.
Set CustUserName as a primary key on your Customers table to prevent duplicate entry.
Upvotes: 1
Related Questions
- Why is it important to override GetHashCode when Equals method is overridden?
- ASP.NET Web Site or ASP.NET Web Application?
- Why not inherit from List<T>?
- Why is Dictionary preferred over Hashtable in C#?
- How do I store values obtained from the "select" query into the Session Variables in ASP.net
- Incrementing a value of a field in the table by button click
- Validating Email and Password Input Against a Dataset
- How to link separated class for database operations in website in ASP.net with the pages.aspx
- c# closing sqlconnection and sqldatareader or not?