Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: ASP.NET
Respected Sir,
i am using code for login page
default.aspx.cs
try
        {
            conn.Open();
            SqlCommand cmd = new SqlCommand("select * from tbl_mnadmin where mn_username='"+txt_username.Text+"' and mn_password='"+txt_password.Text+"'",conn);
            SqlDataReader rdr = cmd.ExecuteReader();
            rdr.Read();
            if (rdr["mn_username"].ToString().Length > 0)
            {
                Session["username"] = rdr["mn_username"];
                Session["pass"] = rdr["mn_password"];
                Response.Redirect("welcome.aspx");
            }
            else
            {
                lbl_msg.Text = "Invalid User Name or Password";
            }
 
        }
        catch (Exception ex)
        {
        }
        finally
        {
            conn.Close();
        }
plz tell me problem. i have got a problem when username passowrd not match and if rdr was not filled. plz tell me how to solve this problem.
Thanks
REgards
Umesh Daiya
Posted 4-Oct-12 23:44pm
UDTWS316
Edited 4-Oct-12 23:47pm
Raje_7.4K
v2
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

Try like below..
try
{
    conn.Open();
    SqlCommand cmd = new SqlCommand("select count(*) from tbl_mnadmin where mn_username='" +  txt_username.Text + "' and mn_password='" + txt_password.Text + "'", conn);
    int cnt=int.Parse(cmd.ExecuteScalar().ToString());
 
    if (cnt > 0)
    {
        Session["username"] = txt_username.Text;
        Session["pass"] = txt_password.Text;
        Response.Redirect("welcome.aspx");
     }
      else
        lbl_msg.Text = "Invalid User Name or Password";
}
catch (Exception ex)
{
}
finally
{
    conn.Close();
}
  Permalink  
v2
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 3

To add to what Tejas says, for your own sake, don't do it like that!
Firstly:
Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
 
For example, the way you do it, I do not need any password to log into your system - all I have to do is enter any username, followed by four other characters, and I am logged in. Or, I could extend that, log in (or not log in), and delete your entire database, from anywhere in the world.
 
Secondly:
Never store passwords in clear text! Have a look here: Password Storage: How to do it.[^]
  Permalink  
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

I think you face this problem because you directly assessing your data from sqlreader with out checking weather there is data in your reader or not. so please modify your code to validate that part so, it might solve your problem. i think you can try something like this...
 
try
{
    conn.Open();
    SqlCommand cmd = new SqlCommand("select * from tbl_mnadmin where mn_username='" + txt_username.Text + "' and mn_password='" + txt_password.Text + "'", conn);
    SqlDataReader rdr = cmd.ExecuteReader();
    while (rdr.Read()) // put validation like this, it will go forward only if there is some data in your reader.
    {
        if (rdr["mn_username"].ToString().Length > 0)
        {
            Session["username"] = rdr["mn_username"];
            Session["pass"] = rdr["mn_password"];
            Response.Redirect("welcome.aspx");
        }
        else
        {
            lbl_msg.Text = "Invalid User Name or Password";
        }
    }
}
catch (Exception ex)
{
}
finally
{
    conn.Close();
}
  Permalink  
v2

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 Sergey Alexandrovich Kryukov 337
1 DamithSL 310
2 OriginalGriff 220
3 Zoltán Zörgő 149
4 Peter Leow 115
0 OriginalGriff 7,510
1 DamithSL 5,519
2 Sergey Alexandrovich Kryukov 5,044
3 Maciej Los 4,961
4 Kornfeld Eliyahu Peter 4,514


Advertise | Privacy | Mobile
Web03 | 2.8.141223.1 | Last Updated 5 Oct 2012
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100