Click here to Skip to main content
15,068,645 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
I have a login page that I want to let the user know if there username does not exist and they must register. The code that I have works but when a user enters in a username that is in the database the error message come up and says "Invalid UserName/Password". I would like for this error to come up if the user enters a valid or invalid username and password when they click on login. How can I get my code to do that? I had this code is Page Load but I thought it might work better in TextBox_TextChange.

C#
if (IsPostBack)
        {
            SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
            con.Open();
            string cmdStr = "Select count(*) from Tablepass where EmailAddress='" + TextBoxEA.Text + "'";

            SqlCommand userExist = new SqlCommand(cmdStr, con);
            SqlCommand cmd = new SqlCommand("select INST_ID, EmailAddress from Tablepass", con);
            int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());
            if (temp == 1)
            {
                ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('Invalid UserName/Password!!!');", true);
            }
            else
            {
                ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('User Name Does Not Exist!!! You Must Fill Out Registration First!!!');", true);
            }
        }
    }
}
Posted
Updated 20-Nov-13 9:30am
v2
Comments
Richard C Bishop 20-Nov-13 15:42pm
   
The ExecuteScalar() method returns the first record of the results. So if you get a result with that query, it means it is valid. You have it as not valid. Probably should switch your logic.
Computer Wiz99 20-Nov-13 15:49pm
   
Ok, Thanks. How do you mean switch my logic? What it does now is when I enter a valid username I get the error message, "Invalid UserName/Password". When I enter in an invalid username the error message shows, "User Name Does Not Exist!!! You Must Fill Out Registration First". The second part is correct. That is what I want it to do. It is the first part that gets me.
Richard C Bishop 20-Nov-13 16:10pm
   
Your first if statement should probably read:

if (temp == 0)
{
}

This will show the invalid message because your query did not return anything. When you enter something invalid it will default to your else which is basically an invalid entry. See my edited solution below.
Computer Wiz99 20-Nov-13 16:33pm
   
Ok, I changed the if (temp == 1) to if (temp == 0). When I enter in a valid username I get the second error message. I should not get any error message if the username is valid.
Richard C Bishop 20-Nov-13 16:43pm
   
That is where your logic is slightly skewed. You cannot check if it is a bad entry twice. Being invalid and not being registered are the same thing ultimately. Neither one allows the user to continue. See my updated solution below for a new way you could handle this.

1 solution

It fires as soon as the text changes and they way you are concatenating the text value of your textbox text value is causing an unexpected value to be in the WHERE clause. You could have done something like this:

    if (IsPostBack)
    {
        SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HOTConnectionString"].ConnectionString);
        con.Open();
        string cmdStr = "select count(*) from Tablepass where EmailAddress=@TextBoxEA";
        SqlCommand userExist = new SqlCommand(cmdStr, con);
        SqlCommand cmd = new SqlCommand("select INST_ID, EmailAddress from Tablepass", con);
        userExist.Parameters.AddWithValue("@TextboxEA", TextBoxEA.Text);
        int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());
        if (temp == 0)
        {
            ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('Invalid UserName/Password!!!');", true);

        }
    }
}


Also, you have been told numerous times that this sort of code leaves you vulnerable to SQL injection. It would be in your best interest to revise it using parameterized queries.

[EDIT]
int loginAttempts = 0;

   if (IsPostBack)
      {
          SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HOTConnectionString"].ConnectionString);
          con.Open();
          string cmdStr = "select count(*) from Tablepass where EmailAddress=@TextBoxEA";
          SqlCommand userExist = new SqlCommand(cmdStr, con);
          SqlCommand cmd = new SqlCommand("select INST_ID, EmailAddress from Tablepass", con);
          userExist.Parameters.AddWithValue("@TextboxEA", TextBoxEA.Text);
          int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());



          if (temp == 0)
          {
              ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('Invalid UserName/Password!!!');", true);
              loginAttempts++;

          }
          else if (loginAttempts == 5)
          {
               ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('User Name Does Not Exist!!! You Must Fill Out Registration First!!!');", true);

          }
      }
  }


This checks how many times they have attempted to login and then will show the register message after 5 attempts(which could be any number). Your "else" could do the login if the user entered data is valid.

[/EDIT]
   
v10

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900