Change the code to this... actually your logic is correct but approach is wrong.
The usual approach is
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Configuration;
using System.Data;
using System.Data.SqlClient;
namespace Bidders_Joint
{
public partial class WebForm2 : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void btnLogin_Click(object sender, EventArgs e)
{
string constr = ConfigurationManager.ConnectionStrings["BiddersJoint"].ToString();
string type;
SqlConnection con = new SqlConnection(constr);
SqlCommand cmd = new SqlCommand("select Type from TABLE_USER where User_ID = @userid AND Password=@password" , con);
cmd.Parameters.AddWithValue("@userid",txtUserid.Text);
cmd.Parameters.AddWithValue("@password",txtPassword.Text);
try
{
con.open();
SqlDataReader dr = cmd.ExecuteReader();
while (dr.Read())
{
if(dr.HasRows)
{
type = dr["Type"].ToString();
if (type == "admin")
{
Response.Redirect("administrator.aspx");
}
else if (type=="general")
{
Response.Redirect("userspage.aspx");
}
}
else
{
lblMessage.Text = "wrong userid or password";
}
}
}
catch (Exception ex)
{
lblMessage.Text = ex.Message;
}
finally
{
con.close();
}
}
I have put the variables you declared inside the Click event and Changed the query.