query string problem

Question

HunainHafeez 9 Posting Whiz

11 Years Ago

using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
using System.Data.SqlClient;

public partial class loginApplicant : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {



    }
    protected void btnsubmit_Click(object sender, EventArgs e)
    {   
       // String pageName = Request.QueryString["pageName"].ToString();
       // int advId = int.Parse(Request.QueryString["advId"]);
        String pageName = Request.QueryString["pageName"] ==  null ? null : Request.QueryString["pageName"].ToString();
        int advId = Request.QueryString["advId"] == null ? 0 : int.Parse(Request.QueryString["advId"]);
        String hashedPwd = FormsAuthentication.HashPasswordForStoringInConfigFile(txtboxPassword.Text, "SHA1");
        //Response.Write(hashedPwd);
        String conString = "Data Source=COSANOSTRA;Initial Catalog=Waleed_orsfinal;Integrated Security=True";
        SqlConnection con = new SqlConnection(conString);
        String query = "select email,password from tblUser where email='" + txtboxUserEmail.Text + "' and password= '" + hashedPwd + "' ";
        SqlCommand com = new SqlCommand(query, con);

        try
        {
            con.Open();
            SqlDataReader dr = com.ExecuteReader();

            if (dr.Read() == true && pageName == "page_applyForJob")
            {
                 Session["applicantSession"] = txtboxUserEmail.Text;
                 Response.Redirect("applyForJob.aspx?advId=" + advId);
             }

            else if (dr.Read() == true && pageName== null)
            {

                Session["applicantSession"] = txtboxUserEmail.Text;
                Response.Redirect("~/showAdvertsiement.aspx");
            }
            ***else
            {

                Response.Write("Wrong Combination Of Email and Password");
            }***
        }
        catch (Exception ex)
        {

            Response.Write("error" + ex.Message);


        }
        finally
        {
            con.Close();
        }
    }
}

problem is that only else block is executed when i put pageName equals to null,

but without pagename equal to null, it logins successfully, y ?

chek bold section, it is executed when i place pagename= null, and even no parameter is passing to it

asp.net

2 Contributors
2 Replies
130 Views
2 Days Discussion Span
Latest Post 11 Years Ago Latest Post by HunainHafeez

MikeSmithDev 0 Newbie Poster

11 Years Ago

Do you mean you are doing "....mypage.aspx?pageName=null"? This will return a string not null.

Also, including a user generated input (txtboxUserEmail.Text) into your SQL statement is a big security issue. You should sanitize your input and use a paramerized query.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

HunainHafeez 9 Posting Whiz · Answer 1 · 2012-11-10T19:43:29+00:00

actually it was raising exception so i sent false parameter to stop it