Click here to Skip to main content
15,893,381 members
Search within:


help in correction of coding for login system using sessions
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
ASP.NET
i am making a login system using session i have a login in page in which i have two text boxes one fro login and one for password and submit buttion.

the coding for the submit button is

C#
SqlConnection con = new SqlConnection("Data Source=PC\\SQLEXPRESS; Initial Catalog=login; Integrated Security=True");
       con.Open();
       string cmdstr="select count(*) from users where username='"+TextBox1.Text+"'";
       SqlCommand checkuser=new SqlCommand(cmdstr,con);
       int temp=Convert.ToInt32(checkuser.ExecuteScalar().ToString());
       if(temp==1)
       {
           string cmdstr2="select password from users where username='"+TextBox1.Text+"'";
               SqlCommand pass=new SqlCommand(cmdstr2,con);
           string password=pass.ExecuteScalar().ToString();
           if(password==TextBox2.Text)
           {
               Session["New"]=TextBox1.Text;
               Response.Redirect("secure.aspx");
           }
           else
           {
               lblyes.Visible=true;
               lblyes.Text="invalid user";
           }


on secure page i have one label and one gridview to show the data on of a user loged in on a gridveiw control.

the coding for secure page is as under. dere is some problem in query of binding the data of particular user with the girdview. kindly help me in correcting that problem.

C#
SqlConnection conn = new SqlConnection("Data Source=PC\\SQLEXPRESS; Initial Catalog=mydb; Integrated Security=True");
    protected void Page_Load(object sender, EventArgs e)
    {
        if (Session["New"] != null)
        {
            Label1.Text += Session["New"].ToString();

            if (!IsPostBack)
            {

                LoadGridView();

            }
        }
        else
        {
            Response.Redirect("Default.aspx");
        }
    }

    private void LoadGridView()
    {
        //conn.Open();
        SqlDataAdapter da = new SqlDataAdapter("Select * from user where username='"+Session["New"]+"'", conn); // the problem is in that query i think..
        DataSet ds = new DataSet();
        da.Fill(ds, "user");
        GridView1.DataSource = ds.Tables[0];
        GridView1.DataBind(); ;
        //conn.Close();
    }
 // the fallowing is for logout
    protected void Button1_Click(object sender, EventArgs e)
    {
        Session["New"] = null;
        Response.Redirect("Default.aspx");
    }
Posted
Updated 4-Jul-11 10:49am
v4
Add a Solution

3 solutions

Try this

"Select * from user where username='"+Session["New"].toString()+"'"


Or 


"Select * from user where username='"+Label1.Text+"'"



The both above code will surely work :)
 
Share this answer
 
Posted
Updated 4-Jul-11 10:55am
v2
Comments
codegeekalpha 4-Jul-11 16:57pm    
i think i put the first one. but i am getting errors
Christian Graus 4-Jul-11 17:00pm    
Well, that's pretty stupid. If you were to use the second example, I could erase your whole DB, from the login screen.
Christian Graus 4-Jul-11 17:06pm    
Oh, I see, you're only repeating what the OP is doing, because neither of you know any better. In that case, I don't see how what you posted is remotely helpful, you just repeated what he's doing.
private void LoadGridView()
{
//conn.Open();
SqlDataAdapter da = new SqlDataAdapter("Select * from user where username='"+Session["New"].ToString()+"'", conn); // the problem is in that query i think..
DataSet ds = new DataSet();
da.Fill(ds, "user");
GridView1.DataSource = ds.Tables[0];
GridView1.DataBind(); ;
//conn.Close();
}


in place of Session["New"] use Session["New"].ToString();
in above code.
 
Share this answer
 
Posted
Comments
Christian Graus 5-Jul-11 2:17am    
Actually, in C#, if you already have a string, then things you add to it, like numbers, are converted to the string version.
Syed Salman Raza Zaidi 5-Jul-11 5:29am    
I also suggested the same solution :(
This is a disaster. You should NEVER pass the contents of a text box directly in to a SQL statement. If you do, I can insert any SQL I want, and it will run ( for example, to erase your DB, or to insert a username/password combination based on a logical guess of your table names ). Instead, use parameterised queries and read up on SQL injection.

You should also never have SQL executed in your presentation layer, that shows a complete lack of any thought or design, as does variables named 'textbox1'. The moment you have the same connection string in two places in your code, it's clear your code is broken.

You say there is 'some problem', but not what it is. Have you tried using the debugger to see what is in the session ? Have you done anything to try to understand what is going on ? Did you think that telling us what is wrong might help us to see the problem ?

I hope you're doing this just for fun and to learn, b/c it's clear that you're not experienced enough to write secure code. Please do the research I am suggesting, and never write secure code that people will use until you understand these issues.
 
Share this answer
 
Posted
Comments
codegeekalpha 4-Jul-11 17:25pm    
ok i know about the sql injection. but i am new not too much experiance.. but i want things to atleast work for me..
i am still a student. the problem is that gird is not loading the data.
codegeekalpha 4-Jul-11 17:26pm    
i am doing it for learning..
Christian Graus 4-Jul-11 17:29pm    
OK - so when the grid does not load the data, what is the value in the session ? Do you know how to use the debugger ? You can also just set a label on your form to equal the SQL you're trying to execute. You need to work out what the SQL is that you're running, to know if it's correct. If it's not, fix that. If it is, work out why your data is there and not displaying as you hope. The first step is to work through the steps, and work out which one is failing.
codegeekalpha 4-Jul-11 17:37pm    
ok thx
codegeekalpha 4-Jul-11 17:43pm    
the value in session is username
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Login and Session Help!!!
how to use session in login page
How to logout and redirect to login after session timeout in .NET core 6 MVC
How to use session to make a login page
C# login check code not working correctly
login control with session
Login and logout System using session.
What is the correct code line for a login session
login page code using sessions
What is the correct compiler settings for using GDI+?

Advertise
Privacy
Cookies
Terms of Use
Last Updated 5 Jul 2011
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web02 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900