Click here to Skip to main content
14,768,210 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
im new to sql. Im suppose to write code that can let me check the user input for email and password against the database.


Below is the code i've written

protected void btnLogin_Click(object sender, EventArgs e)
    {
        string strEmail, strPwd, strSel;
        int intShopperID;
        DatabaseMgmt loginObj = new DatabaseMgmt();
       //read e-mail and password that are entered in the textboxes
        strEmail = emailTextBox.Text.ToLower();
        strPwd = pwdTextBox.Text.Trim();
        strSel = "SELECT ShopperID" +
            "FROM Shopper" +
            "WHERE Email = '" + strEmail + "'" +
            "AND Passwd = '" + strPwd + "'";

        SqlDataReader dR = loginObj.ExecuteSelect(strSel);
        



            if (dR.Read())
            {
                intShopperID = 1;
                Session["shopperID"] = intShopperID;
                Response.Redirect("Default.aspx");
            }

            else
            {
                intShopperID = 0;
                lblMsg.Text = "Incorrect email or password!";
                lblMsg.ForeColor = System.Drawing.Color.Red;
            }
        
    }


What I have tried:

im dont know how to continue from here :(
Posted
Updated 16-Aug-16 3:02am
v2
Comments

You need to learn to use the debugger

Mastering Debugging in Visual Studio 2010 - A Beginner's Guide[^]

Inspect the content of your variables, such as strSel, what does it contain?

SELECT ShopperIDFROM ShopperWHERE Email = 'me@here.com'AND Passwd = '123456'


Is that valid SQL?

Also read on using parameterised queries to build your SQL as your code might be open to SQL Injection attacks.
   
Comments
sja63 16-Aug-16 8:02am
   
I think its better to use:

strEmail = emailTextBox.Text.ToLower().Trim();
Your SQL does not have spaces in correct places.

Also see my sample below to see a better way to select query data using user input in SQL to avoid SQL injection:

string userEmail = "test@email.com", userPassword = "abc123";
		
		// Your SQL:
		Console.WriteLine("SELECT ShopperID" + "FROM Shopper" + "WHERE Email = '" + "a@b.com" + "'" + "AND Passwd = '" + "password" + "'");
		// Outputs: SELECT ShopperIDFROM ShopperWHERE Email = 'a@b.com'AND Passwd = 'password'
		
		// Better way to do it:
		string sql = "SELECT ShopperID FROM Shopper WHERE Email = {0} AND Passwd = {1}";
		string emailParameter = "@Email", passwordParameter = "@Password";
		string formattedSql = string.Format(sql,emailParameter,passwordParameter);
		Console.WriteLine(formattedSql);
		
		// Use parameterised sql command
		SqlCommand cmd = new SqlCommand(formattedSql);
		cmd.Parameters.Add(new SqlParameter(emailParameter,userEmail));
		cmd.Parameters.Add(new SqlParameter(passwordParameter,userPassword));
		
		SqlDataReader dr = cmd.ExecuteReader();
		// Continue your code...
   
Comments
Member 12688019 16-Aug-16 8:14am
   
Its the spacing of the code. Thanks!

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900