Click here to Skip to main content
15,907,906 members
Please Sign up or sign in to vote.
1.00/5 (2 votes)
See more:
I have a problem with my registration page. Every time a user enters their email address and password they get the error massage that I setup. The user email address and password is not saved into the table I set it for and they can not login. What did I do wrong?

C#
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;
using System.Web.Security;
using System.Security.Cryptography;

public partial class SubmitPage : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        if (IsPostBack)
        {
            SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["PasswordConnectionString"].ConnectionString);
            con.Open();

            string cmdStr = "Select count(*) from TableSecurity where EmailAddress='" + TextBoxEA.Text + "'";
            string cmdStr2 = "Select count(*) from TableCEO where EmailAddress ='" + TextBoxEA.Text + "'";
            string cmdStr3 = "Select count(*) from TableIALO where EmailAddress ='" + TextBoxEA.Text + "'";
            SqlCommand userExist = new SqlCommand(cmdStr, con);
            SqlCommand cmd = new SqlCommand("select * from TableSecurity", con);
            SqlCommand cmd2 = new SqlCommand("select * from TableCEO", con);
            SqlCommand cmd3 = new SqlCommand("select * from TableIALO", con);
            int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());
            if (temp == 1)

                Response.Write("User Name Already Exist!!!<br /> Please Choose Another User Name.");
        }



    }

    protected void Submit_Click(object sender, EventArgs e)
    {
        SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["PasswordConnectionString"].ConnectionString);
        con.Open();

        string chkUser = "select count(*) from TableCEO where EmailAddress'" + TextBoxEA.Text + "";
        chkUser = "select count(*) from TableIALO where EmailAddress'" + TextBoxPW.Text + "";
        SqlCommand chkUsercmd = new SqlCommand(chkUser, con);


        string insCmd = "Insert into TableSecurity (EmailAddress, Password) values (@EmailAddress, @Password)";
        SqlCommand insertUser = new SqlCommand(insCmd, con);
        insertUser.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text);
        insertUser.Parameters.AddWithValue("@Password", TextBoxPW.Text);
        


        try
        {
            insertUser.ExecuteNonQuery();
            con.Close();
            Response.Redirect("Login.aspx");
        }
        catch (Exception er)
        {
            Response.Write("Something Really Bad Has Happened....Please Try Again.");
        }
        finally
        {
        }
    }
    
}
Posted
Updated 10-Sep-13 5:31am
v2

1 solution

Your problem is here:

C#
string insCmd = "Insert into TableSecurity (EmailAddress, Password, AccessLevel) values (@EmailAddress, @Password)";
        SqlCommand insertUser = new SqlCommand(insCmd, con);
        insertUser.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text);
        insertUser.Parameters.AddWithValue("@Password", TextBoxPW.Text);


Notice how you have 3 columns, but you are only inserting 2 values? You are ignoring the AccessLevel column, you need to add that in the values section and a parameter for it.

Another thing I'm confused about, you use parameterized queries properly in the insert, but completely ignore them for the count selects at the top? If I type the right "email address", I can get all your user names and passwords out of you database, erase your database, or do anything else I want. Change those to use parameters too!
 
Share this answer
 
Comments
Ron Beyer 10-Sep-13 11:19am    
Oh, and let me know what site you are developing, looks like you are storing passwords in plain text, which is a huge security no-no...
Computer Wiz99 10-Sep-13 11:24am    
Ron Beyer, Thanks for the look over. So, you are saying that I should use 'useparameters'? How would you be able to get all of my email address and passwords from my database?
Computer Wiz99 10-Sep-13 11:26am    
We are building a project for kids at the Boys & Girls Club to show them how programming works. We welcome any information you have to show.
Computer Wiz99 10-Sep-13 11:30am    
I updated the code and the samething is still happening? What did I do wrong?
Ron Beyer 10-Sep-13 11:31am    
Depends on what you updated it to, have you tried printing out the exception message instead of the generic text that you created?

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900