User exist detection

Question

lhsunshine 0 Newbie Poster

12 Years Ago

For my sign up page, i want detect user exist so that no repeated username. BUT fail. There is no error in my coding. BUT cannot detect....

HELP. tHAnk you

if (IsPostBack)
            {
                SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["RegConnectionString"].ConnectionString);
                con.Open();
                string cmdStr = "Select count(*) from Reg where Username = '" + txtUsername.Text + "'";

                SqlCommand userExist = new SqlCommand(cmdStr, con);
                int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());

                con.Close();

                if (temp == 1)
                {
                    Label5.Visible=true;

                }

            }

asp.net

4 Contributors
4 Replies
163 Views
1 Day Discussion Span
Latest Post 12 Years Ago Latest Post by kvprajapati

hericles 289 Master Poster

12 Years Ago

First off, debug your code and see what value is being put into temp. If the user name was in your database twice then temp would be more than 1, if it isn't there at all then temp won't be 1 either.

lhsunshine commented: tq... +0

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

lhsunshine 0 Newbie Poster · Answer 1 · 2012-05-21T05:03:07+00:00

 Hi hericles, i can't get what you mean... Below is my full coding... thanks

 protected void Page_Load(object sender, EventArgs e)
    {
        if (IsPostBack)
        {
            SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["RegConnectionString"].ConnectionString);
            con.Open();
            string cmdStr = "Select count(*) from Reg where EmailAddress = '" + txtEmail.Text + "'";

            SqlCommand userExist = new SqlCommand(cmdStr, con);
            int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());

            con.Close();

            if (temp == 1)
            {
                Label5.Visible=true;

            }

        }
    }
    protected void btnSignUp_Click(object sender, EventArgs e)
    {
        SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["RegConnectionString"].ConnectionString);
        con.Open();
        string insCmd = "Insert into Reg (Username, FullName, EmailAddress, PhoneNumber, Password, State) values (@Username, @FullName, @EmailAddress, @PhoneNumber, @Password, @State)";
        SqlCommand insertUser = new SqlCommand(insCmd, con);
        insertUser.Parameters.AddWithValue("@Username", txtUsername.Text);
        insertUser.Parameters.AddWithValue("@FullName", txtFullname.Text);
        insertUser.Parameters.AddWithValue("@EmailAddress", txtEmail.Text);
        insertUser.Parameters.AddWithValue("@PhoneNumber", txtPhone.Text);
        insertUser.Parameters.AddWithValue("@Password", txtPassword.Text);
        insertUser.Parameters.AddWithValue("@State", DropDownListState.SelectedItem.ToString());


        try
        {
            insertUser.ExecuteNonQuery();
            con.Close();
            Response.Write("<script>alert('Sign Up Successfully')</script>");
            Response.Redirect("Login.aspx");

        }

        catch (Exception)
        {
            Label6.Visible = true;

        }

        finally
        {

        }
    }

JorgeM 958 Problem Solver Team Colleague Featured Poster · Answer 2 · 2012-05-21T22:26:41+00:00

What hericles means is that just simply check to see what is being stored in temp. do a response.write or assign the value to a control.

The reason is that according to your code the if..then will only be true if temp equals 1. What about if you had two accounts, then it would be false, but that would not be desireable because you would create a third account. This is a logic problem, not a coding syntax issue.

kvprajapati 1,826 Posting Genius Team Colleague · Answer 3 · 2012-05-22T04:21:00+00:00

What will happen when a user type following in the TextBox:

hello' or '1'='1

One must have to avoid the SQL Injection by creating stored procedure or parameterized query.

string cnstr=ConfigurationManager.ConnectionStrings["RegConnectionString"]
                                        .ConnectionString;
bool found=false;
using(SqlConnection con = new SqlConnection(cnstr))
 {
   string cmdStr = "Select username from Reg where Username = @username";
  using(SqlCommand userExist = new SqlCommand(cmdStr, con))
   {
     con.Open();
     object result=userExist.ExecuteScalar();
     if(result!=null)
       found=true;
    }
 }
 if(found)
    //
else
    //