retrieve name from database

Question

0.00/5 (No votes)

See more:

hi, code and password to compare login page.correct login id and pwd means retrive name to another page.but d'nt retrieve a name.

VB

con.Open()
        cmd = New SqlCommand("Select * from dbo.ei_employee where code = '" & user_name.Text & "'and password = '" & password.Text & "' ", con)
        sdr = cmd.ExecuteReader()
        'view = "select * from dbo.ei_employee where code = '" & user_name.Text & "'"
        'Dim ds As DataSet = GetData(view)
        'If (ds.Tables.Count > 0) Then
        '    eid = sdr.GetValue(2)

        If (sdr.Read()) Then
            Session("user_name") = enam as string

            Response.Redirect("attview.aspx")
            con.Close()
        Else
            LinkButton1.Visible = True

            con.Close()
        End If

Posted 5-Aug-11 0:12am

Vasim889

Add a Solution

Comments

Dylan Morley 5-Aug-11 6:19am

You're leaving yourself open to SQL Injection here. Consider what happens if I put the following values in your controls

user_name = "Test"
password = "Test;'DELETE FROM dbo.ei_employee"

Always use SQL parameters,

http://weblogs.sqlteam.com/jeffs/archive/2006/07/21/10728.aspx

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

_Zorro_ · Answer 1 · 2011-08-05T00:18:00

Solution 1

VB

If (sdr.Read()) Then
  Session("user_name") = enam as string

Where does enam come from??

Maybe you should try something like this:

VB

If (sdr.Read()) Then
  Session("user_name") = sdr["column_name"] as string

Response.Redirect("attview.aspx?userName=" + Session("user_name"))

By the way, Dylan Morley is right about the sql injection, you should take that into consideration.

Hope it helps

Posted 5-Aug-11 0:18am

_Zorro_

Updated 5-Aug-11 0:21am

v3

Comments

Herman<T>.Instance 5-Aug-11 6:22am

exactly. it should be sdr[fieldnr of fieldname] as string, so maybe
Session("user_name") = sdr["enam"] as string

OriginalGriff · Answer 2 · 2011-08-05T00:21:00

Don't do it that way!
For example, if I tried to log in to your system with the user name

Hello';DROP TABLES dbo.ei_employee;--

What do you think would happen?
Or, I could just log in without giving you a password, if I wanted to.
1) Don't concatenate strings: use Parametrized queries instead. Or you will lose your database. Probably to your best mate "for a laugh".

C#

cmd = New SqlCommand("Select * from dbo.ei_employee where code = @NM AND password = @PW", con)
cmd.Parameters.AddWithValue("@NM", user_name.Text)
cmd.Parameters.AddWithValue("@PW", password.Text)
sdr = cmd.ExecuteReader()

2) Don't store passwords in clear text! There is a description here which may help: Password Storage: How to do it.[