Registration Page Problem Need Help!!!

Question

1.00/5 (2 votes)

See more:

I have a problem with my registration page. Every time a user enters their email address and password they get the error massage that I setup. The user email address and password is not saved into the table I set it for and they can not login. What did I do wrong?

C#

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;
using System.Web.Security;
using System.Security.Cryptography;

public partial class SubmitPage : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        if (IsPostBack)
        {
            SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["PasswordConnectionString"].ConnectionString);
            con.Open();

            string cmdStr = "Select count(*) from TableSecurity where EmailAddress='" + TextBoxEA.Text + "'";
            string cmdStr2 = "Select count(*) from TableCEO where EmailAddress ='" + TextBoxEA.Text + "'";
            string cmdStr3 = "Select count(*) from TableIALO where EmailAddress ='" + TextBoxEA.Text + "'";
            SqlCommand userExist = new SqlCommand(cmdStr, con);
            SqlCommand cmd = new SqlCommand("select * from TableSecurity", con);
            SqlCommand cmd2 = new SqlCommand("select * from TableCEO", con);
            SqlCommand cmd3 = new SqlCommand("select * from TableIALO", con);
            int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());
            if (temp == 1)

                Response.Write("User Name Already Exist!!!<br /> Please Choose Another User Name.");
        }



    }

    protected void Submit_Click(object sender, EventArgs e)
    {
        SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["PasswordConnectionString"].ConnectionString);
        con.Open();

        string chkUser = "select count(*) from TableCEO where EmailAddress'" + TextBoxEA.Text + "";
        chkUser = "select count(*) from TableIALO where EmailAddress'" + TextBoxPW.Text + "";
        SqlCommand chkUsercmd = new SqlCommand(chkUser, con);


        string insCmd = "Insert into TableSecurity (EmailAddress, Password) values (@EmailAddress, @Password)";
        SqlCommand insertUser = new SqlCommand(insCmd, con);
        insertUser.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text);
        insertUser.Parameters.AddWithValue("@Password", TextBoxPW.Text);
        


        try
        {
            insertUser.ExecuteNonQuery();
            con.Close();
            Response.Redirect("Login.aspx");
        }
        catch (Exception er)
        {
            Response.Write("Something Really Bad Has Happened....Please Try Again.");
        }
        finally
        {
        }
    }
    
}

Posted 10-Sep-13 5:09am

Computer Wiz99

Updated 10-Sep-13 5:31am

v2

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Ron Beyer · Accepted Answer · 2013-09-10T05:16:00

Solution 1

Your problem is here:

C#

string insCmd = "Insert into TableSecurity (EmailAddress, Password, AccessLevel) values (@EmailAddress, @Password)";
        SqlCommand insertUser = new SqlCommand(insCmd, con);
        insertUser.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text);
        insertUser.Parameters.AddWithValue("@Password", TextBoxPW.Text);

Notice how you have 3 columns, but you are only inserting 2 values? You are ignoring the AccessLevel column, you need to add that in the values section and a parameter for it.

Another thing I'm confused about, you use parameterized queries properly in the insert, but completely ignore them for the count selects at the top? If I type the right "email address", I can get all your user names and passwords out of you database, erase your database, or do anything else I want. Change those to use parameters too!

Posted 10-Sep-13 5:16am

Ron Beyer

Comments

Ron Beyer 10-Sep-13 11:19am

Oh, and let me know what site you are developing, looks like you are storing passwords in plain text, which is a huge security no-no...

Computer Wiz99 10-Sep-13 11:24am

Ron Beyer, Thanks for the look over. So, you are saying that I should use 'useparameters'? How would you be able to get all of my email address and passwords from my database?

Computer Wiz99 10-Sep-13 11:26am

We are building a project for kids at the Boys & Girls Club to show them how programming works. We welcome any information you have to show.

Computer Wiz99 10-Sep-13 11:30am

I updated the code and the samething is still happening? What did I do wrong?

Ron Beyer 10-Sep-13 11:31am

Depends on what you updated it to, have you tried printing out the exception message instead of the generic text that you created?

Computer Wiz99 10-Sep-13 11:23am

Ron Beyer, Thanks for the look over. So, you are saying that I should use 'useparameters'? How would you be able to get all of my email address and passwords from my database?

Ron Beyer 10-Sep-13 11:30am

I just noticed that you declare those commands but don't actually use them (or you removed the code that does). If you did and I typed into your text field "TextBoxEA" something like a'; SELECT * FROM TableSecurity; -- then it would return all the data in the TableSecurity table.

Computer Wiz99 10-Sep-13 11:36am

Ok. I do have an encryption program in play. Does the code look ok and why is it not letting a user submit their email address and password to be saved into the TableSecurity?

Ron Beyer 10-Sep-13 11:39am

Instead of this:
Response.Write("Something Really Bad Has Happened....Please Try Again.");

Do something like this:
Response.Write("An error occurred: " + er.Message);

And look at what the actual error is.

[no name] 10-Sep-13 11:43am

Its a syntax error in the SQL.

Computer Wiz99 10-Sep-13 11:58am

Yeah it is I found it. I used breakpoints and then used what Ron Beyer gave me. Thanks.

Computer Wiz99 10-Sep-13 12:10pm

Thanks for the information. I have another question for you. How can I get the user ID into TableSecurity?