I need help with a Login page on Asp.net

Question

0.00/5 (No votes)

See more:

I have a login page that reads from one table the username and the password from another table.
Once the user logins it redirects the user the their page. Is there any way that it can redirect another user to another page? Here is my code.

C#

public partial class Login : System.Web.UI.Page
{
    protected void Button1_Click(object sender, EventArgs e)
    {
        SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["PassConnectionString"].ConnectionString);
        con.Open();

        string cmdStr = "select count(*) from TableCEO where EmailAddress='" + TextBox1.Text + "'";
        SqlCommand Checkuser = new SqlCommand(cmdStr, con);
        int temp = Convert.ToInt32(Checkuser.ExecuteScalar().ToString());
        if (temp == 1)
        {
            string cmdStr2 = "Select Password from TablePass where Password='" + TextBox2.Text + "'";
            SqlCommand pass = new SqlCommand(cmdStr2, con);
            string password = pass.ExecuteScalar().ToString();
            con.Close();

            if (password == TextBox2.Text)
            {
                Session["New"] = TextBox1.Text;
                Response.Redirect("Welcome.aspx");
            }
            else
            {
                Label1.Visible = true;
                Label1.Text = "Invalid Password!!!";
            }
        }
        else
        {
            Label1.Visible = true;
            Label1.Text = "Invalid UserName!!!";
        }
    }
}

Posted 26-Apr-13 3:34am

Computer Wiz99

Updated 26-Apr-13 3:36am

StianSandberg

v2

Add a Solution

Comments

Keith Barrow 26-Apr-13 9:41am

Hi, Not an answer more a piece of advice. Use the built in provider model if you can, it isn't as simple as just re-directing and a lot can go wrong. It is also fantastically easy to introduce security flaws. I've been a dev for years and I wouldn't risk it without expert advice or a well establised framework. The provider model will also save you a lot of work (it even has a DB Schema built-in) and doesn't need to be re-rolled each time you start a project.

There is an excellent set of tutorials at http://weblogs.asp.net/scottgu/archive/2006/05/07/ASP.NET-2.0-Membership-and-Roles-Tutorial-Series.aspx

Computer Wiz99 26-Apr-13 9:48am

Thanks for the advice. One more thing. Is it better to have a web page that has two links on it, one for this user and the other for another user that way the other web pages will have different codes to handle it on thing? Or should I just stick with one login page for two different users.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

StianSandberg · Accepted Answer · 2013-04-26T03:46:00

Just imagine this scenario:
A user (smart one) wants to log in. He writes me@mail.com in the Email textbox and pwd in the password textbox. This input will generate the following sql-queries:

SQL

select count(*) from TableCEO where EmailAddress='me@mail.com'

and

SQL

Select Password from TablePass where Password='pwd'

That's no problem.

Now imaging that this user writes ' or 1=1 or 1=' in the email textbox, and ' or LEN(Password)>0 or Password=' in the password textbox.

This input will generate the following sql-queries:

SQL

select count(*) from TableCEO where EmailAddress='' or 1=1 or 1=''

and

SQL

Select Password from TablePass where Password='' or LEN(Password)>0 or Password=''

Do you see the problem here? It's called SQL injections. It's easy to prevent using SqlParameters. You really should read about it.

MSDN - How To: Protect From SQL Injection in ASP.NET[^]

And you should never store passwords as clear text in your database. It's pretty easy to avoid. I've written an article about that : Beginners guide to a secure way of storing passwords[^]