Always use parameterised Query, so that SQL injection won't be done.
protected void btnlogin_Click(object sender, EventArgs e)
{
string q = "select count(*) from logdate where eid = @Name and password = @Password";
cmd = new SqlCommand(q, cnn);
cmd.Parameters.Add("@Name", txtuname.Text.Trim());
cmd.Parameters.Add("@Password", txtpasswd.Text.Trim());
object obj;
obj = cmd.ExecuteScalar();
if (obj.ToString() == "1")
{
cmd = new SqlCommand("Select * from logtable where eid =@Name", cnn);
cmd.Parameters.Add("@Name", txtuname.Text.Trim());
SqlDataReader dr = cmd.ExecuteReader();
dr.Read();
Session["eid"] = dr["eid"].ToString();
Session["password"] = dr["password"].ToString();
dr.Close();
Response.Redirect("seekerhome.aspx");
}
else
{
txtuname.Text = "";
txtpasswd.Text = "";
lblmsg.Text = "Either E-Mail ID or Password is wrong..!";
}
cnn.Close();
}
Thanks
Ashish