am getting error in this any one tell me

Question

0.00/5 (No votes)

See more:

C#

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;

public partial class Default2 : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
    }

    protected void btnlogin_Click(object sender, EventArgs e)
    {

      //SqlConnection con=new SqlConnection(ConfigurationManager.ConnectionStrings["userinformation"].ConnectionString);
        SqlConnection con = new SqlConnection("Data Source=............;Initial Catalog=IMADB;User ID=usr_ima;password=temp123");
        con.Open();
        string cmdstr = "select * from tbluser where username='" + TextBox1.Text + "'";
        SqlCommand checkuser = new SqlCommand(cmdstr, con);
        int temp = Convert.ToInt32(checkuser.ExecuteNonQuery().ToString());
        if (temp == 1)
        {
            string cmdstr2 = "select * from tbluser where userpassword='" +TextBox2.Text+ "'";
            SqlCommand pass = new SqlCommand(cmdstr2, con);
            string password = pass.ExecuteNonQuery().ToString();
            con.Close();
            if (password == TextBox2.Text)
            {
                Session["New"] = TextBox1.Text;
                Response.Redirect("Default3.aspx");
            }
            else
            {
                Label3.Visible = true;
                Label3.Text = "Invalid password....!!!";
            }
        }
            else
            {
                Label3.Visible = true;
                Label3.Text = "Invalid username....!!!";
            
        }
    }
}

[edit]Code block added - OriginalGriff[/edit]

Posted 19-Mar-12 4:11am

rockpune

Updated 19-Mar-12 4:15am

OriginalGriff

v2

Add a Solution

Comments

ZurdoDev 19-Mar-12 10:13am

What is the error?

rockpune 19-Mar-12 10:18am

in valid username

ZurdoDev 19-Mar-12 10:23am

Have you done a SQL trace or debugged to make sure the SQL is the way you need it? Is there actually a user in tbluser with that username?

[no name] 20-Mar-12 0:25am

requirment is not clear plz explain briefly!!!!!!!!!!!!

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2012-03-19T04:24:00

Well, it could be anything...but there are a few things you ought to do to prevent other problems:
1) Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead:

C#

string cmdstr = "select * from tbluser where username=@UN";
SqlCommand checkuser = new SqlCommand(cmdstr, con);
checkuser.Parameters.AddWithValue("@UN", TextBox1.Text);

2) Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^]
3) Don't use VS default names for your controls. You may remember today what TextBox1 and Label3 are supposed to do, but you won't next month! Use meaningful names: tbUserName and labErrorMessage instead - it makes your code a lot easier to work with, and read.

In fact your basic problem is pretty easy to spot:
When you read from the table to match the password, what is returned is not what you want - it is a count of the rows that would be returned, if you had read them. So, it won't match teh entered passowrd unless the user decides to have "1" as his password.

Implement the stuff above, and try again. But really, you should look at introducing Membership instead - it's a lot easier than your whole system will be. http://msdn.microsoft.com/en-us/library/yh26yfzy(v=vs.85).aspx[^]