Existing username is not working for some usernames, why?

Question

0.00/5 (No votes)

See more:

Hell to all,

I have a web app that checks to see if a user exist within three tables. If the user exists in table2 and table3 then the user can create a username and password. If the user exists in table1 then the user can't create a username and password. So far this works on some of the user accounts we have tested but on others, we can create double usernames with different passwords. Please let me know where I am wrong at. Is there a way to do it better?

C#

protected void Page_Load(object sender, EventArgs e)
        {
            if (IsPostBack)
            {
                SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["C3POConnectionString"].ConnectionString);
                con.Open();

                string cmdStr = "Select count(*) from Table1 where EmailAddress='" + TextBoxEA.Text + "'";
                string cmdStr2 = "Select count(*) from Table2 where EmailAddress='" + TextBoxEA.Text + "'";
                string cmdStr3 = "Select count(*) from Table3 where EmailAddress='" + TextBoxEA.Text + "'";

                SqlCommand userExist = new SqlCommand(cmdStr, con);
                SqlCommand userExist2 = new SqlCommand(cmdStr2, con);
                SqlCommand userExist3 = new SqlCommand(cmdStr3, con);

                SqlCommand cmd = new SqlCommand("select USERID, EmailAddress from Table1", con);
                SqlCommand cmd2 = new SqlCommand("select USERID, EmailAddress from Table2", con);
                SqlCommand cmd3 = new SqlCommand("select USERID, EmailAddress from Table3", con);

                userExist.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text);
                userExist.Parameters.AddWithValue("@Password", TextBoxPW.Text);
                userExist2.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text);
                userExist2.Parameters.AddWithValue("@Password", TextBoxPW.Text);
                userExist3.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text);
                userExist3.Parameters.AddWithValue("@Password", TextBoxPW.Text);

                int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());
                int temp2 = Convert.ToInt32(userExist2.ExecuteScalar().ToString());
                int temp3 = Convert.ToInt32(userExist3.ExecuteScalar().ToString());

                <pre>if (temp == 1)
                {
                    ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('Sorry, This User and Passsword Already Exists');", true);
                    TextBoxEA.Text = string.Empty;
                    TextBoxINST_ID.Text = string.Empty;
                    TextBoxaccessLevel.Text = string.Empty;
                    TextBoxEA.Focus();
                }
                else if (temp2 == 1 && temp3 == 1)
                {

                }
                else if (temp2 == 0 || temp3 == 0) 
                {
                    ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('User Name is Not Recognized by the System. Your Accreditation Liaison Officer (ALO) has permissions to this page. Please contact your ALO.');", true);
                    TextBoxEA.Text = string.Empty;
                    TextBoxEA.Focus();
                }
con.Close();
            }
        }

What I have tried:

I have tried to add code to the temp2 and temp3 and they work from time to time.

Posted 20-Feb-17 3:30am

Computer Wiz99

Updated 20-Feb-17 6:03am

v2

Add a Solution

Comments

Jochen Arndt 20-Feb-17 10:03am

Are there already duplicates in Table1?

Then you should check for temp being not zero instead of comparing with 1:

if (temp)
{
// User exists
}

Computer Wiz99 20-Feb-17 10:05am

When we tested it, there were duplicates in table1 but there are not any in table2 and table3. Table1 holds the username and password. Table2 and Table3 holds the user profiles.

Jochen Arndt 20-Feb-17 10:11am

When there are duplicates, temp will be greater than 1 because you have a COUNT query that returns the number of matching recodsets found.

But you are checking for temp == 1 at the very first place which is not matched then and you are probably generating another duplicate.

Computer Wiz99 20-Feb-17 10:13am

Okay, I see what you are getting. Now I have one username and password in table1. I am running the program again.

Computer Wiz99 20-Feb-17 10:34am

Okay, I have tested out on two different users accounts. On one it worked. The username exits in the table1, table2 and table3. The second didn't work. The second is in table1, table2 and table3 but no error message comes up and it allows me to create another username and password for that user. Now I have two of the same usernames in table1. I didn't change my code at all.

Jochen Arndt 20-Feb-17 11:05am

Maybe a case problem (joe vs. Joe)?

Then use something like
"... WHERE LOWER(EmailAddress)=LOWER('" + TextBoxEA.Text + ")'"

Richard Deeming 20-Feb-17 12:28pm

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Bryian Tan · Accepted Answer · 2017-02-20T04:36:00

Solution 1

These two lines should be combine based on your requirement

C#

else if (temp2 == 1)
{

}
else if (temp3 == 1)
{

}

To

C#

else if (temp2 == 1 && temp3 == 1)
{

}

This table might help you visualize it better

temp2 	temp3 	Action
  0 	  0 	  User Name is Not Recognized
  0 	  1 	  User Name is Not Recognized
  1 	  0 	  User Name is Not Recognized
  1 	  1 	  user can create a username and password

Then you can consolidate the code to something like

C#

else if (temp2 == 0 || temp3 == 0) 
{
  ScriptManager.....
}

Posted 20-Feb-17 4:36am

Bryian Tan

Comments

Computer Wiz99 20-Feb-17 11:43am

Bryian Tan, Thanks for the new code. When I tested it and it work good but when I enter a user that exists in table1, table2 and table3 the ScriptManager message comes up saying; User Name is Not Recognized by the System. Your Accreditation Liaison Officer (ALO) has permissions to this page. Please contact your ALO. Even though they are in the tables. How can I fix that?

Bryian Tan 20-Feb-17 12:00pm

hmmm, you might need to post the updated code again. Or you can visualize it using a table

Temp1 Temp2 Temp3 Action
1 0 0
1 0 1
1 1 0
1 1 1
0 0 0
0 0 1
0 1 0
0 1 1

Computer Wiz99 20-Feb-17 12:03pm

I have updated the code.

Bryian Tan 20-Feb-17 12:22pm

You might need to check the query because if temp1 and temp2 and temp3 = 1, based on the code, it should not show "User Name is Not ....."

If 1,1,1 it should show "Sorry, This User and Passsword Already Exists"?

Computer Wiz99 20-Feb-17 14:57pm

Okay, so if temp = 0 for table1 then the user should be able to create a username and password.

If temp = 1 for table1 the user shouldn't be able to create a username and password.
That is how it should go.

Bryian Tan 20-Feb-17 15:19pm

I think that what your code is doing now, unless the query return the wrong value. Make sure temp,temp2, temp3 has the correct return value.

if (temp == 1)
--Sorry, This User and Passsword Already Exists

else if (temp2 == 1 && temp3 == 1)
-- Here... temp=0 and user exists in BOTH table2 and table3 -- Create username password

else if (temp2 == 0 || temp3 == 0)
-- temp =0 , temp2 == 0 OR temp3 == 0 -- User Name is Not Recognized by...

Bryian Tan 20-Feb-17 15:39pm

By the way, after you got everything straighten up, take a look at this article SQL Injection and Cross-Site Scripting[^]. You can follow @Richard Deeming suggestion on how to fix the vulnerability