Click here to Skip to main content
15,867,568 members
Please Sign up or sign in to vote.
1.00/5 (3 votes)
See more:
hi all. i have 3 tier architecture asp.net
i want to select my data and check them for login.
but


my DAL code:

public DataTable findrecords(string UserName)

       {
               connect.Open();
               SqlCommand cmd = new SqlCommand("Select * from UserInfo where UserName= '" + UserName + "'", connect);
               DataTable dt = new DataTable();
               SqlDataAdapter sda = new SqlDataAdapter(cmd);
               sda.Fill(dt);
               return dt;
       }


and BLL code:
public void selectRecords()
       {
           da.findrecords(UserName);

       }


or :
cmd.Parameters.AddWithValue("@UserName", UserName);
            da.findrecords(UserName);


and my codebehind:
bll.UserName = UserNameTextBox.Text;
bll.selectRecords();
if (bll.UserTyp == 0)
{
    Session.Add("Msg_", "user you are un active");
    Response.Redirect("~/ShowMessage.aspx");
}
else
    if (bll.UserTyp == 1)
    {
        Response.Redirect("~/index.aspx");
    }


What I have tried:

hi all. i have 3 tier architecture asp.net
i want to select the user that login and check them for type of acccess.
every thing is ok. and no error is shown. but every user with any type of access is zero and "unactive" is my code is correct and data not return or not?
Posted
Updated 21-Sep-17 16:56pm
v5
Comments
Richard Deeming 21-Sep-17 13:40pm    
Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

public DataTable findrecords(string UserName)
{
    using (SqlCommand cmd = new SqlCommand("Select * from UserInfo where UserName= @UserName", connect))
    {
        cmd.Parameters.AddWithValue("@UserName", UserName);
        
        DataTable dt = new DataTable();
        SqlDataAdapter sda = new SqlDataAdapter(cmd);
        sda.Fill(dt);
        return dt;
    }
}

C#
SqlCommand cmd = new SqlCommand("Select * from UserInfo where UserName= '" + UserName + "'", connect);

Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
 
Share this answer
 
OK, you're calling a stored procedure in the database called "tbl_User_SelectRow" which expects a parameter to be passed in, called "@UserName". You're code doesn't supply that parameter.

A quick Google for "C# sql parameterized query[^]" has tons of information on how to do it.
 
Share this answer
 
Business Logic usually validates before posting to the DB. Example:
C#
if (!string.IsNullOrEmpty(UserNameTextBox.Text)
{
    bll.UserName = UserNameTextBox.Text;
    bll.bl_bind();
    if (bll.UserTyp == 0)
    {
        Response.Redirect("~/ShowMessage.aspx");
    }
else
{
   // handle invalid (empty) username...
}
 
Share this answer
 
Comments
rezaeti 19-Sep-17 7:36am    
hi . thanks for reply.

[code removed]

but why it does not work . the error is :
Error 1 No overload for method 'SelectDataUser' takes 1 arguments
Graeme_Grant 19-Sep-17 7:38am    
don't post code in replies ... too hard to read. Instead, please update the question with clear and concise details, sample code, any error messages (including inner exception details), etc, by clicking on the Improve question widget.

To answer the question, it is a Syntax error - you are not correctly calling the function with the correct parameters.
You will have to validate the UserName for null values, before using them
cmd.Parameters.AddWithValue("@UserName", UserName);

or else modify your procedure to accept null values
SQL
@UserName nvarchar(x) = null,
 
Share this answer
 
Comments
Karthik_Mahalingam 19-Sep-17 8:41am    
you are not passing any parameter in the code
rezaeti 19-Sep-17 8:54am    
cmd.Parameters.AddWithValue("@UserName", UserName);
da.selectDataUser(cmd);

but error in :(bl_bind()) shown.
Error : 'BLL.bllUsers.bl_bind()': not all code paths return a value
Dave Kreskowiak 19-Sep-17 10:57am    
Based on your code above, why are you passing a SqlCommand object into the selectDataUser method? It should be creating it's own SqlCommand.

Why are you not passing in the User, whatever that is, so the selectDataUser method can create the parameter itself?

Why are you adding the parameter in the Business Layer instead of the Data Layer?

It seems you're overly concerned with tiers instead of just getting the code to work. It appears as though you're not experienced enough to worry about tiers yet.
rezaeti 19-Sep-17 13:23pm    
Hi Dave Kreskowiak .

In fact I had this code:
DataTable dt = new DataTable();
SqlDataAdapter da = new SqlDataAdapter("select * from UserInfo where UserName=@UserName", connect);
da.SelectCommand.Parameters.AddWithValue("@UserName", UserNameTextBox.Text);
da.SelectCommand.CommandTimeout = 0;
da.Fill(dt);
if (dt.Rows.Count == 0)
{

}
I want know how to make 3 Layer Architecture for this code
I dont know how can I da.Fill(dt) using Data Layer and Business Layer ?
thanks . can you learn it me.?
Karthik_Mahalingam 19-Sep-17 23:17pm    
means you are not returning the value
post your method code.
you can use mvc's IAthourizationFilter to solve the problem
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900