Member Avatar for Maha Sh.

Hi All,

I am using Visual Studio 2010 and for my database I'm using SQL

I am trying to make a multi user login and valdate the input with my datatable

the problem is that i made a login page but it's just check the username and the password but not the access type

I don't know how to include the access type in my code...!!

Plz help

Protected Sub Button1_Click(ByVal sender As Object, ByVal e As EventArgs) Handles Button1.Click
Dim connection As New SqlClient.SqlConnection
Dim command As New SqlClient.SqlCommand
Dim adaptor As New SqlClient.SqlDataAdapter
Dim dataset As New DataSet

    connection.ConnectionString = ("Data Source=.\SQLEXPRESS;AttachDbFilename='C:\Users\sony\Documents\Visual Studio 2010\Projects\SADA\SADA\App_Data\SADA.mdf';Integrated Security=True;Connect Timeout=30;User Instance=True")
    command.CommandText = "SELECT * FROM [User] WHERE (UserName='" + TextBox1.Text + "')AND (PW='" + TextBox2.Text + "');"
    connection.Open()

    command.Connection = connection
    adaptor.SelectCommand = command
    adaptor.Fill(dataset, "0")
    Dim count = dataset.Tables(0).Rows.Count

    If count > 0 Then
        Response.Redirect("Admin.aspx")

    Else
        MsgBox("Error in the input")


    End If

End Sub
  • 2 Contributors
  • 2 Replies
  • 116 Views
  • 22 Hours Discussion Span
  • Latest Post Latest Post by Maha Sh.
Member Avatar for JorgeM

Unless you really want to write up all of the code regarding security (login pages, reset passwords, user management, etc..), you may want to use the built-in login controls. I would recommend that you visit Microsoft's site for help on asp.net. They have a section that covers user security: http://www.asp.net/web-forms/overview/security

The only other thing I would recommend is that rather than building the commandText in the manner shown above, which is very common, you should use parameters instead. The code listed above is vulnerable to SQL injection attacks. Think about where a malicious user rather than supplying a user name, the malicious user inputs a single quote, then adds SQL commands to drop your table, or display information about the first user in your table, which may be an administrator.

You may want to research this some more since it appears you are starting this project.

Member Avatar for Maha Sh.

Thanks ITG-JM for your advice.

I'll check Microsoft's site :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.