Unsuccesful Login Attempts code

Question

1.33/5 (3 votes)

See more:

I have a code for unsuccessful login attempts. I have an error on ExecuteQuery(sql);. The error states that "The name 'ExecuteQuery' does not exist in the current context". I also wanted to know if my code for the login attempts looks right? Please help!

C#

protected void Page_Load(object sender, EventArgs e)
    {
        TextBoxEA.Focus();

        if (IsPostBack)
        {
            SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
            con.Open();
            Session["counter"] = 0;
            string cmdStr = "Select count(*) from Table22 where EmailAddress='" + TextBoxEA.Text + "'";
            string sql = "Select count(*) from Table22 where EmailAddress = '" + TextBoxEA.Text + "' AND Password='" + TextBoxPW.Text + "'";
            int retValue = ExecuteQuery(sql);
            Session["counter"] = Convert.ToInt32(Session["counter"]) + 1;
            SqlCommand userExist = new SqlCommand(cmdStr, con);
            SqlCommand cmd = new SqlCommand("select UserID, EmailAddress from Table22", con);
            int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());
            if (temp == 0)
            {
                ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('User Name Does Not Exist You Must Fill Out Registration First');", true);
                TextBoxEA.Text = string.Empty;
            }
            else if (temp == 1)
            {
                ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('Invalid UserName / Password');", true);
                TextBoxEA.Text = string.Empty;
            }
            else if (Convert.ToInt32(Session["counter"]) >= 3)
            {
                string SQL = "Update Table22 SET isLocked = true where EmailAddress = '" + TextBoxEA.Text + "'";
                ExecuteQuery(SQL);

                ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('The Account is Locked');", true);
                TextBoxEA.Text = string.Empty;
            }
        }
    }

Posted 27-May-14 4:57am

Computer Wiz99

Add a Solution

Comments

_Zorro_ 27-May-14 11:06am

Where is your ExecuteQuery method declared?
Btw, nice SQL Injection risk you have there...

CHill60 27-May-14 11:07am

You don't have a function called ExecuteQuery!

Anas Tasadduq 27-May-14 11:21am

What and where is ExecuteQuery?

BobJanova 27-May-14 12:11pm

Please for the love of sanity and your future/present employers learn about data security before trying to write database code!

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CHill60 · Accepted Answer · 2014-05-27T05:20:00

You don't appear to have a method called ExecuteQuery

Plus as _Zorro_ has said - you have left yourself wide open to SQL Injection attacks - see http://blog.codinghorror.com/give-me-parameterized-sql-or-give-me-death/[^]

Use parameterized queries and the appropriate method e.g.

string sql = "Select count(*) from Table22 where EmailAddress = @TextBoxEA AND Password=@TextBoxPW";
SqlCommand newCommand = new SqlCommand(sql);
newCommand.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
newCommand.Parameters.Add("@TextBoxPW", TextBoxPW.Text);
int retValue = (int)newCommand.ExecuteScalar();

and/or

string SQL = "Update Table22 SET isLocked = true where EmailAddress = @TextBoxEA"; //.Text typo removed in V2 of solution
SqlCommand newCommand1 = new SqlCommand(SQL);
newCommand1.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
int rowsAffected = newCommand1.ExecuteNonQuery();

[EDIT in response to OP comment]
Here is an example of how I might integrate the solution above into your code, with some refactoring. I have omitted the error handling (try-catch) and warning this code is untested.

C#

protected void Page_Load(object sender, EventArgs e)
{
    TextBoxEA.Focus();

    if (!IsPostBack)
    {
        Session["counter"] = 0;    // Initialise the number of attempts
        // In the original code this was happening every time so
        // Number of attempts was always equal to 1
    }
    else
    {
        //Increment the number of attempts
        Session["counter"] = Convert.ToInt32(Session["counter"]) + 1;

        //Set up the connection
        //The "using" will close and dispose of the connection when we're finished
        using (SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString))
        {
            con.Open();

            string cmdStr = "Select count(*) from Table22 where EmailAddress=@TextBoxEA";
            SqlCommand sqlCmd = new SqlCommand(cmdStr);
            sqlCmd.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
            int userExists = (int)sqlCmd.ExecuteScalar();

            cmdStr = "Select count(*) from Table22 where EmailAddress = @TextBoxEA AND Password=@TextBoxPW";
            sqlCmd = new SqlCommand(cmdStr);
            sqlCmd.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
            sqlCmd.Parameters.Add("@TextBoxPW", TextBoxPW.Text);
            int correctPassword = (int)sqlCmd.ExecuteScalar();

            // You now have userExists =0 if user does not exist, 1 if exists and is only one,
            // and >1 if more than one user with that logon (you should prevent this from happening)
            //
            // You also have correctPassword = 0 if password incorrect, 1 if correct
            // (and >1 as above if more than one entry on database - which you will prevent)

            string msg = "";
            if (userExists == 0)
                msg = "alert('User Name Does Not Exist You Must Fill Out Registration First');";
            else if (correctPassword == 0)
                msg = "alert('Invalid UserName / Password');";
            else if (Convert.ToInt32(Session["counter"]) >= 3)
            {
                msg = "alert('The Account is Locked');";

                // Lock the account on the database
                // Note that you are locking the account but not checking for the lock
                // when looking the user up in the database on subsequent attempts

                cmdStr = "Update Table22 SET isLocked = true where EmailAddress = @TextBoxEA";
                sqlCmd = new SqlCommand(cmdStr);
                sqlCmd.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
                sqlCmd.ExecuteNonQuery();
            }
            if (msg.Length > 0)
            {
                ScriptManager.RegisterStartupScript(this, this.GetType(), "script", msg, true);
                TextBoxEA.Text = string.Empty;
            }
        }   // end using(con)

    }
}