Invaild username and password

Question

Nemo_NIIT 0 Light Poster

12 Years Ago

Hi

I am using web application.

on my login button i have written this code

protected void btnlogin_Click(object sender, EventArgs e)
    {
        //sql connection
        SqlConnection cnn = new SqlConnection();
        cnn.ConnectionString = "Server=HOME-PC;Database=kandivalideal;Trusted_Connection=True;";
        cnn.Open();
        SqlCommand cmd = new SqlCommand("select mobileno, password from register where mobileno='"+txtmoblie.Text +"'and password='"+txtpassword.Text+"'",cnn);
        cmd.Connection = cnn;
        SqlDataReader dr = cmd.ExecuteReader();

        if (txtmoblie.Text != "mobileno" && txtpassword.Text != "password")
        {
            Response.Write(@"<script language='javascript'>alert('Invalid Username and Password')</script>");
        }
        else
        {
            Response.Redirect("signup.aspx");
        }
        cnn.Close();
       


    }

I think my If statement is giving me error it is not getting moblie no and password it is giving error by say invalid username and password

6 Contributors
10 Replies
421 Views
5 Days Discussion Span
Latest Post 12 Years Ago Latest Post by esmaeel2001

hericles 289 Master Poster

12 Years Ago

You're not using the data extracted in your datareader at all. You are setting up the connection and calling the executeReader method then leaping into the If statement. It is generating the error because you haven't entered "mobileno" and "password" into the two textboxes.

You need to check if the datareader has one row. If it does your SQL statement worked and the user can log in.

kamilacbe 14 Junior Poster in Training

12 Years Ago

You have assign the value read from datareader to a temp string and then you can check with your database string as you have done.:-) ( the prob you have to sort is datareader value.)

prit005 0 Light Poster

12 Years Ago

http://www.c-sharpcorner.com/Blogs/7612/passenger-reservation-systemprs.aspx

please check this link,it can resolve your problem. also check default.aspx and
default.aspx.cs page

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Nemo_NIIT 0 Light Poster · Answer 1 · 2011-12-12T13:25:35+00:00

Can you give me some example for this please

You're not using the data extracted in your datareader at all. You are setting up the connection and calling the executeReader method then leaping into the If statement. It is generating the error because you haven't entered "mobileno" and "password" into the two textboxes.
You need to check if the datareader has one row. If it does your SQL statement worked and the user can log in.

Nemo_NIIT 0 Light Poster · Answer 2 · 2011-12-12T13:46:57+00:00

protected void btnlogin_Click(object sender, EventArgs e)
    {
        //sql connection
        SqlConnection cnn = new SqlConnection();
        cnn.ConnectionString = "Server=HOME-PC;Database=kandivalideal;Trusted_Connection=True;";
        cnn.Open();
        SqlCommand cmd = new SqlCommand("select mobileno, password from register where mobileno='"+txtmoblie.Text +"'and password='"+txtpassword.Text+"'",cnn);
        cmd.Connection = cnn;
        SqlDataReader dr = cmd.ExecuteReader();

        if (dr.Read())
        {
            Response.Redirect("http://www.google.com");
        }
        else
        {
            Response.Write(@"<script language='javascript'>alert('Invalid Username and Password')</script>");
            
        }
        cnn.Close();
       


    }

ChrisHunter 152 Posting Whiz in Training Featured Poster · Answer 3 · 2011-12-16T19:51:39+00:00

if you do something like the following example the COUNT() function will count the amount of rows within the database that match the WERE clause and return that number. Then you check the number is 0 or not and grant or deny access accordingly.

"SELECT COUNT(*) my MyTable WHERE Username = ' + textbox1.text + ' AND Password = ' + textbox2.text + '";

esmaeel2001 0 Newbie Poster · Answer 4 · 2011-12-16T21:16:33+00:00

samply, you execute a SQL statement that select all the ID's from your table that meet the condition:
WHERE Username = ' + textbox1.text + ' AND Password = ' + textbox2.text
if the user is exist and the password is correct you should get one row in the datareader Else the datareder.Read() method will return null.

then ... after you execute the command check: if (!Datareader.Read()) that mean No rows, thus, no users or password not valid!

ChrisHunter 152 Posting Whiz in Training Featured Poster · Answer 5 · 2011-12-16T21:38:58+00:00

if you do something like the following example

Sorry i missed the FROM clause out:

"SELECT COUNT(*) FROM MyTable WHERE Username = ' + textbox1.text + ' AND Password = ' + textbox2.text + '";

hericles 289 Master Poster Featured Poster · Answer 6 · 2011-12-17T01:53:48+00:00

Everyone's code here is ok from a login point but they all include the textbox text directly in the SQL statement. That is bad, it allows for SQL injection attacks. In the interests of becoming a better code get used to using the parameters of the command object to encapsulate the inputs

MySqlCommand cmd = new MySqlCommand();
cmd.Parameters.Add("?userName", MySqlDataType.Varchar);
cmd.Parameters["?userName"].Value = Textbox1.Text;

Repeat that for the password textbox. It prevents users from slipping in SQL code that can subvert your security.

esmaeel2001 0 Newbie Poster · Answer 7 · 2011-12-17T21:10:56+00:00

esmaeel2001 0 Newbie Poster

12 Years Ago

hericles! good advise! thx alot