Direct users to different pages depending on there roles

Question

kylelendo -4 Junior Poster in Training

13 Years Ago

Hii friends

I am creating a web application Now there are only two users who will login to the system
the two users are Admin and staff

When Admin logins he is directed to Admin.aspx
and when staff login he is directed to Staff.aspx

I have created a database Table in which I have four fields

ID,UserName,passWord,User_type

for admin it is 1,Admin,Admin,Administrator

and for staff it is 2,Staff,Staff,StaffUser

How can i do this ,,,Uptil now I have created a simple login page the code is as follows...

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;

public partial class Login : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }
    protected void Button1_Click(object sender, EventArgs e)
    {
        SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["RegConnectionstring"].ConnectionString);
        con.Open();
        string cmdStr = "select count(*) from Registration where UserName='"+TextBox1.Text+"'";
        SqlCommand Checkuser = new SqlCommand(cmdStr, con);
        int temp = Convert.ToInt32(Checkuser.ExecuteScalar().ToString());
        if (temp == 1)
        {
            string cmdStr2 = "Select password from Registration where UserName='"+TextBox1.Text+"'";
            SqlCommand pass = new SqlCommand(cmdStr2, con);
            string password = pass.ExecuteScalar().ToString();
           
           
            con.Close();

            
            if (password == TextBox2.Text)
            {
                Session["New"] = TextBox1.Text;
                Response.Redirect("Secure.aspx");

            }
            else
            {
                Label1.Visible = true;
                Label1.Text = "Invalid Password";

            }
        }
            else
            {
                 Label1.Visible = true;
                Label1.Text = "Invalid UserName";

            }
        
           
       
        }
    }

3 Contributors
4 Replies
153 Views
3 Days Discussion Span
Latest Post 13 Years Ago Latest Post by jbisono

jbisono 51 Posting Pro in Training

13 Years Ago

There are a few things in your code, that personally don't like, maybe a few friends in daniweb can help you too, I don't know how important is the security for this particular application but it sounds too me that if you are trying to distinct one user from another, it is indeed important.
1) When you login, you don't say that the login or the password is wrong, you just say the credentials either the password or login are incorrect. so if that is ok then you don't need the first statement when you verify if the user exists.
2) You don't usually retrieve your password from the database instead you send the input password to the database to be verify.
If I were you I will rewrite my code like this, and that's not even good secure either.

SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["RegConnectionstring"].ConnectionString);
string cmdStr = "select User_Type from Registration where UserName='"+TextBox1.Text+"' AND passWord = '"+TextBox2.Text+"'";
SqlCommand cmd = New SqlCommand(cmdStr, con);
con.Open();
Object TypeUser = cmd.ExecuteScalar();
con.Close();
if(TypeUser != null)
{
   Label1.Visible = false;
   Label1.Text = "";
   if(TypeUser.ToString() == "Administrator")
      Response.Redirect("Administrator.aspx");
   else
      Response.Redirect("StaffMember.aspx");
}
else
{
   Label1.Visible = true;
   Label1.Text = "Invalid Credentials Entered, Try again";
}

assuming you just have two types of users.

Edited 13 Years Ago by jbisono because: n/a

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

kylelendo -4 Junior Poster in Training · Answer 1 · 2011-10-03T12:15:46+00:00

All right What if I have more than 2 users...also how to implement security in my code????

Ketsuekiame 860 Master Poster Featured Poster · Answer 2 · 2011-10-03T16:22:27+00:00

Use a switch statement to differentiate between your user types.

The code above is secure enough for most cases, however, you may want to think about data encryption such as SHA and MD5.

jbisono 51 Posting Pro in Training · Answer 3 · 2011-10-03T18:29:01+00:00

Besides what Ketsuekiame said, you can read this microsoft article, to help you maintain your code more secure.
Stop SQL Injection Attacks Before They Stop You

Good luck.