user6656724
Reputation:
check role,username and password and redirect on welcome page mvc5
I am creating a web app in mvc 5 in my login form i have 2 textboxes, one button and one span in which if a user provide wrong information then the text should be visible
<div style="margin-top:20px;">
<span>
<select style="width:275px; height:45px; font-size:15px; font-family:Verdana;" class="ddl">
<option>Select Your Role</option>
<option>Super Admin</option>
<option>Admin</option>
<option>Company</option>
<option>Unit</option>
<option selected="selected">Trainer</option>
<option>Employee</option>
<option>Partner Manager</option>
<option>Regional Partner Manager</option>
<option>Assistant Partner Manager</option>
<option>Zonal Partner Manager</option>
<option>LLT</option>
</select>
</span>
</div>
<div class="col-xs-offset-0" style="margin-top:15px;">
<span>
<input type="text" id="txtusrname" class="ddl txtbo" style="width:275px; height:45px; font-size:15px; font-family:Verdana;" placeholder="Username" />
</span>
</div>
<div class="col-xs-offset-0" style="margin-top:15px;">
<span>
<input type="text" class="ddl txtbo" id="txtpass" style="width:275px; height:45px; font-size:15px; font-family:Verdana;" placeholder="Password" />
</span>
</div>
<div class="imagediv" style="">
<input id="btnerp" type="button" class="btn btn-default btnspacererp" style="" width="200" height="34" value="Login" />
</div>
<div class="" style="margin-top:20px; Width:auto; Height:34px; margin-left:-20px;">
<span style="font-size:14px; visibility:hidden; font-family:Verdana; color:red;">Incorrect Login Credential!!!!</span>
</div>
and i am passing all login information from webservice and my webservice will check (dropdownlist, username and password) if the information provided by user that is(dropdownlist, username and password) is correct ten the page should redircted to welcome page or else it should show the span message
[WebMethod]
public string getlogintype(string role, string username, string password)
{
SqlConnection con = new SqlConnection("connectionstring");
List<object> login = new List<object>();
if (role == "Admin" || role == "Super Admin")
{
SqlCommand cmd = new SqlCommand("select * from [admin] where userid='" + username + "' and pass ='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
fals = null;
tru = "true";
//HttpContext.Current.Session["tru"] = tru.ToString();
// want to redirect to welcome page if condition satisfied.
}
else
{
tru = null;
fals = "false";
//want to show the label error message(declare as string errormsg)
}
con.Close();
}
else if (role == "Company")
{
SqlCommand cmd = new SqlCommand("select * from companydetails where comid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
tru = "true";
}
else
{
fals = "false";
}
con.Close();
}
else if (role == "Unit")
{
SqlCommand cmd = new SqlCommand("select * from companyallot where email='" + username + "' and password='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
tru = "true";
}
else
{
fals = "false";
}
con.Close();
}
else if (role == "Trainer")
{
SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
tru = "true";
}
else
{
fals = "false";
}
con.Close();
}
else if (role == "Employee")
{
SqlCommand cmd = new SqlCommand("select * from employee details where empid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
tru = "true";
}
else
{
fals = "false";
}
con.Close();
}
else if (role == "Partner Manager")
{
SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
SqlDataReader dr = cmd.ExecuteReader();
while (dr.Read())
{
strname = dr["empname"].ToString();
}
con.Close();
con.Open();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
SqlCommand cmdvalid = new SqlCommand("select comname from companydetails where pm='" + strname + "'", con);
SqlDataAdapter davalid = new SqlDataAdapter(cmdvalid);
DataSet ds = new DataSet();
davalid.Fill(ds);
if (ds.Tables[0].Rows.Count != 0)
{
tru = "true";
}
else
{
fals = "false";
}
}
con.Close();
}
else if (role == "Regional Partner Manager")
{
SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
SqlDataReader dr = cmd.ExecuteReader();
while (dr.Read())
{
strname = dr["empname"].ToString();
}
con.Close();
con.Open();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
SqlCommand cmdvalid = new SqlCommand("select trainer from rpmallot where trainer='" + strname + "'", con);
SqlDataAdapter davalid = new SqlDataAdapter(cmdvalid);
DataSet ds = new DataSet();
davalid.Fill(ds);
if (ds.Tables[0].Rows.Count != 0)
{
tru = "true";
}
else
{
fals = "false";
}
}
con.Close();
}
else if (role == "Assistant Partner Manager")
{
SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
SqlDataReader dr = cmd.ExecuteReader();
while (dr.Read())
{
strname = dr["empname"].ToString();
}
con.Close();
con.Open();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
SqlCommand cmdvalid = new SqlCommand("select apm from companydetails where apm='" + strname + "'", con);
SqlDataAdapter davalid = new SqlDataAdapter(cmdvalid);
DataSet ds = new DataSet();
davalid.Fill(ds);
if (ds.Tables[0].Rows.Count != 0)
{
tru = "true";
}
else
{
fals = "false";
}
}
con.Close();
}
else if (role == "Zonal Partner Manager")
{
SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
SqlDataReader dr = cmd.ExecuteReader();
while (dr.Read())
{
strname = dr["empname"].ToString();
}
con.Close();
con.Open();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
SqlCommand cmdvalid = new SqlCommand("select trainer from zonerpm where trainer='" + strname + "'", con);
SqlDataAdapter davalid = new SqlDataAdapter(cmdvalid);
DataSet ds = new DataSet();
davalid.Fill(ds);
if (ds.Tables[0].Rows.Count != 0)
{
tru = "true";
}
else
{
fals = "false";
}
}
con.Close();
}
else if (role == "LLT")
{
SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "' and type='" + role + "'", con);
con.Open();
SqlDataAdapter da = new SqlDataAdapter();
DataTable dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
tru = "true";
}
else
{
fals = "false";
}
con.Close();
}
string finalreturn = "";
if(fals=="false")
{
finalreturn = fals.ToString();
}
else if(tru=="true")
{
finalreturn = tru.ToString();
}
return finalreturn.ToString();
}
}
this web service will return true if user information is true and false if the provided username,password or role is false then the information will be pass to the action result page where i have three string (username, password, role) i want to take all his login information in a session and redirect the user to welcome page
public ActionResult Login(string role, string username, string password)
{
//required code
}
this is my actionresult, what i need to pass here to authenticate and redirect it to welcome page
Upvotes: 0
Views: 204
Answers (2)
A_D
Reputation: 189
Try this.Need to submit the form using Html.BeginForm and request is processed by the action method.From there(action method) call getlogintype().Based on the returned value of getlogintype() set message or string in ViewBag and pass that to view using ViewBag.Message.
@using (Html.BeginForm("Login", "ControllerName", FormMethod.Post ))
{
<div style="margin-top:20px;">
<span>
<select style="width:275px; height:45px; font-size:15px; font-family:Verdana;" class="ddl" name="roleSelect">
<option>Select Your Role</option>
<option>Super Admin</option>
<option>Admin</option>
<option>Company</option>
<option>Unit</option>
<option selected="selected">Trainer</option>
<option>Employee</option>
<option>Partner Manager</option>
<option>Regional Partner Manager</option>
<option>Assistant Partner Manager</option>
<option>Zonal Partner Manager</option>
<option>LLT</option>
</select>
</span>
</div>
<div class="col-xs-offset-0" style="margin-top:15px;">
<span>
<input type="text" id="txtusrname" class="ddl txtbo" name="txtusrname" style="width:275px; height:45px; font-size:15px; font-family:Verdana;" placeholder="Username" />
</span>
</div>
<div class="col-xs-offset-0" style="margin-top:15px;">
<span>
<input type="text" class="ddl txtbo" id="txtpass" name="txtpass" style="width:275px; height:45px; font-size:15px; font-family:Verdana;" placeholder="Password" />
</span>
</div>
<div class="imagediv" style="">
<input id="btnerp" type="button" class="btn btn-default btnspacererp" style="" width="200" height="34" value="Login" />
</div>
<div style="margin-top:20px; Width:auto; Height:34px; margin-left:-20px;">
<span style="font-size:14px;font-family:Verdana; color:red;">@ViewBag.Message</span>
</div>
}
Controller
public ActionResult Login()
{
return View();
}
[HttpPost]
public ActionResult Login(FormCollection form)
{
string role = form["roleSelect"];
string username = form["txtusrname"];
string password = form["txtpass"];
webservice.loginservice a= new webservice.loginservice()
string xyz = a.getlogintype(role, username, password);
if(xyz== "true")
{
return RedirectToAction("Welcome_ActionMethod", "Welcome_Controller");
}
else
{
ViewBag.Message = "Incorrect Login Credential!!!!";
return View();
}
}
Upvotes: 0
timkly
Reputation: 793
- You should use an ajax request to pass the form to the web service.
- If the webservice returns true, then submit the form to the controller.
Though most importantly, if your form is submitting directly to that method you posted, then it is open to sql injection meaning your validation routine isn't really secure even in the most basic sense.
Check out paramatised Sql Commands to close that vuln down.
Upvotes: 0
Related Questions
- ASP.NET MVC Login and Redirect Based On Role
- ASP.NET MVC 5 Identity 2 Login redirect based on user role
- Redirection based on user role upon login
- redirect to different pages based on user role in ASP.NET MVC 4 Internet Application Login
- redirect user when Authenticated asp.net mvc forms Authentication
- ASP.net MVC Membership Redirect Depending on Role
- MVC3 - User Logon and Redirected based on their role
- redirect user based on Roles?
- ASP.NET redirect user based on role
- Redirect according to roles