Email address used as username in registration

Question

0.00/5 (No votes)

See more:

I have a registration form that i would like to make stronger because of the username will be their email address. How can I do this?

C#

protected void Page_Load(object sender, EventArgs e)
    {
        
        if (IsPostBack)
        {
            SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
            con.Open();
            string cmdStr = "Select count(*) from Tablepass where EmailAddress='" + TextBoxEA.Text + "'";
            SqlCommand userExist = new SqlCommand(cmdStr, con);
            SqlCommand cmd = new SqlCommand("select INST_ID, EmailAddress from Tablepass", con);
            userExist.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text);
            userExist.Parameters.AddWithValue("@Password", TextBoxPW.Text);
            int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());
            if (temp == 1)
            {
                ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('User Name Already Exist!!!');", true);
                TextBoxEA.Focus();
                TextBoxEA.Text = string.Empty;
                con.Close();
            }
            else
            {
                TextBoxPW.Focus();
            }
        }
    }

    protected void Submit_Click(object sender, EventArgs e)
    {
        SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
        con.Open();

        string cmdStr = "Select INST_ID, accessLevel, EmailAddress from Table1 where EmailAddress='" + TextBoxEA.Text + "'";
        string cmdStr2 = "Select INST_ID, accessLevel, EmailAddress from Table2 where EmailAddress='" + TextBoxEA.Text + "'";
        string insCmd = "Insert into Tablepass (EmailAddress, Password, INST_ID, accessLevel) values (@EmailAddress, @Password, @INST_ID, @accessLevel)";
        string insCmd2 = "Insert into Tablepass (EmailAddress, Password, INST_ID, accessLevel) values (@EmailAddress, @Password, @INST_ID, @accessLevel)";

        SqlCommand insertUser = new SqlCommand(insCmd, con);
        SqlCommand insertUser2 = new SqlCommand(insCmd2, con);

        insertUser.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text);
        insertUser.Parameters.AddWithValue("@Password", TextBoxPW.Text);
        insertUser.Parameters.AddWithValue("@INST_ID", TextBoxINST_ID.Text);
        insertUser.Parameters.AddWithValue("@accessLevel", TextBoxaccessLevel.Text);

        try
        {
            insertUser.ExecuteNonQuery();
            con.Close();
            Response.Redirect("Login.aspx");
        }
        catch (Exception er)
        {
            ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('User Name Is Not Recognized by The System!!!');", true);
            TextBoxEA.Text = string.Empty;
        }
    }


    protected void TextBoxEA_TextChanged(object sender, EventArgs e)
    {
        using (SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString))
        {
            con.Open();

            SqlCommand scmd = new SqlCommand("Select INST_ID, EmailAddress, accessLevel from TableCEO where EmailAddress = @TextBoxEA", con);
            SqlCommand scmd2 = new SqlCommand("Select INST_ID, EmailAddress, accessLevel from TableIALO where EmailAddress = @TextBoxEA", con);

            scmd.Parameters.Add(new SqlParameter("@TextBoxEA", TextBoxEA.Text));
            scmd2.Parameters.Add(new SqlParameter("@TextBoxEA", TextBoxEA.Text));

            TextBoxINST_ID.Text = string.Empty;
            TextBoxaccessLevel.Text = string.Empty;

            using (SqlDataReader dr = scmd.ExecuteReader())
            {
                while (dr.Read())
                {
                    TextBoxINST_ID.Text = dr["INST_ID"].ToString();
                    TextBoxaccessLevel.Text = dr["accessLevel"].ToString();
                }
            }

            using (SqlDataReader dr2 = scmd2.ExecuteReader())
            {
                while (dr2.Read())
                {
                    TextBoxINST_ID.Text = dr2["INST_ID"].ToString();
                    TextBoxaccessLevel.Text = dr2["accessLevel"].ToString();
                }
            }

Posted 2-Dec-13 2:23am

Computer Wiz99

Add a Solution

Comments

ZurdoDev 2-Dec-13 8:26am

Do what?

Computer Wiz99 2-Dec-13 8:31am

Ok. This is what I have. I am trying to get the registration form to be stronger for creating users by their email address. I was testing it out this weekend and I couldn't get a yahoo email address to register. My error code kept firing. Now I can sign a yahoo email up and other email address that are not in the database and login to the system. On top of that my error messages has stop firing. What did I do wrong?

ZurdoDev 2-Dec-13 8:43am

I can't run your code so you need to be much more specific.

Computer Wiz99 2-Dec-13 8:48am

Ok. At first I could enter an invalid username and the error would fire saying, "User Name Is Not Recognized by The System!!!". Now I can enter an invalid username and password, click on the submit button and is saved into the database. Why did this happen?

ZurdoDev 2-Dec-13 8:49am

Put a breakpoint in Page_Load and in Submit_Click and you should be able to find it.

Computer Wiz99 2-Dec-13 8:52am

Ok. Should I put it on the protected void Page_Load and the same with the Submit also?

Computer Wiz99 2-Dec-13 8:50am

And I can enter a valid username and the error fires that the username is already taken. Which this part works fine it is the other part for invalid usernames.

ZurdoDev 2-Dec-13 8:52am

Don't put your logic in Page_Load. Put it all into the Submit_Click.

Computer Wiz99 2-Dec-13 8:53am

Ok, I will try it.

Computer Wiz99 2-Dec-13 9:00am

Ok. I did what you said about moving my logic to the submit button. It works for the valid usernames but still not working for the invalid usernames. Why can't you test the code?

ZurdoDev 2-Dec-13 9:18am

How could I test your code?
What is it you are trying to do. It does not look organized at all. You have 2 select statements and 2 inserts statements in the same method. You really need to simplify what you are doing.
Why can't you put a breakpoint and see what is happening?

Computer Wiz99 2-Dec-13 9:29am

Ok. This is what I am trying to do. I have 2 statements that checks 2 tables that have different users in them. If the username is not within those 2 tables the error should fire to let the user now that the username is not recognized by the system. The first statement checks to see if the username is already taken and there for will not register that username again. It is the invalid username that is still getting registered and able to login but I have created an error page if that happens but I would like it to happen when the user clicks on submit button.

If you are a new user and you try to enter in an invalid username you will receive the error message, "User Name Is Not Recognized by The System!!!".

If you are a new user and you enter in a valid username that is not taken you can then register that user.

If you enter a username that has been taken the error message will fire saying, "User Name Already Exist!!!".

ZurdoDev 2-Dec-13 9:33am

But you're calling ExecuteNonQuery which is not going to return data to you. You need to use SELECT COUNT(*) and then use ExecuteScalar() or just use ExecuteDataReader and check for dr.HasRows.

Computer Wiz99 2-Dec-13 9:38am

Are you saying replace "insertUser.ExecuteNonQuery();" with "inserUser.ExecuteScalar();"?

ZurdoDev 2-Dec-13 9:39am

That would be one option. ExecuteNonQuery will not return a result so how will your code no whether or not the user exists?

Computer Wiz99 2-Dec-13 9:41am

Ok. I did that change and the invalid username can still register.

ZurdoDev 2-Dec-13 9:47am

That's because you have no code to check for it. I am really confused as to where you are confused. You don't have code for half of what you want to do. You need to write the code.

Computer Wiz99 2-Dec-13 9:55am

I thought I did. On the submit button the try, catch, finally code and before that. Like I said before it was working at first when I tested it but now it allows the invalid username to be registered. What I had in Page_Load was to check to see if the user exist in the tablepass database. If it did exist the error fires saying that the user name already exist. If the user enters an invalid username at the submit button, the error should fire saying user name is not recognized by the system. But the error does not fire any more and the invalid username goes into the database. I would just like to know why the error has stopped firing and the code is allowing for the invalid username to be saved?

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

phil.o · Accepted Answer · 2013-12-02T03:50:00

Solution 1

This is at least the third post from you on the same subject/problem.
You have been given some advices, but as I can see you do not seem to have followed them so much. For example your code is still opened to SQL injection attacks.
What I recommand to you is:

- do not construct your SQL queries by concatenating strings obtained from user inputs - better use parameterized queries
How do I create a parameterized SQL query? Why Should I?[^]

- do not store passwords in the database ; instead store hashed-passwords
PWDENCRYPT (Transact-SQL)[^]
PWDCOMPARE (Transact-SQL)[^]

- you should not construct and use a SQL query in each call to a TextChanged eventhandler method. This only should happen when the user cliks on the submit button.

- IMHO, you should completely rethink the way you handle the login process; I mean:
On click of submit button -> test for the validity of login/password.
If user does not exist OR if password is incorrect -> redirect to an error page (or display an error message on the actual page).
If user exists and password is correct -> login.
This is not at all the logic you coded.

- Have a single table for users/hashed passwords.

Posted 2-Dec-13 3:50am

phil.o

Updated 2-Dec-13 4:02am

v2

Comments

Computer Wiz99 2-Dec-13 10:07am

phil.o, I did get the information from the other users on how to create a parameterized SQL query but don't know where or how to put it in my code. I see the examples but do not know where to start or what part to change. Help please.

phil.o 2-Dec-13 10:15am

If I were you, I would leave the existing code to the thrash, write some pseudo-code modelizing the wanted behaviour, and code it again, following advices that were given.
It is not likely someone will do all the work for you.
If you have written the code you showed, then I do not see/understand why you cannot see what part to change.

Computer Wiz99 2-Dec-13 10:28am

Ok. Let me ask you this. Some users have been saying to change the try, catch code to something else. What could I change it to? Not If Else?

phil.o 2-Dec-13 10:46am

An if..else block could work; the problem is not in the use of try..catch or if..else blocks, but in what you do inside.
Your logic is biased towards the whole process; that's why I advise you to write it down to pseudo-code BEFORE trying to effectively code it.
Let's try to make an analogy: you want to cook a cake but you make mistakes in the order/quantity of ingredients you put in it. Then you are trying to solve the problem by using some other kind of recipient -> you are false, because the problem does not lie in the recipient, but in the way you mix ingredients. Do you see what I mean?
Please, take a beak and take time to re-think about the whole process of verification/login; then write some pseudo-code on paper designing the behaviour. Then only start to code it once you have the process sorted.

Computer Wiz99 2-Dec-13 10:48am

Ok. Starting that now. I see what you are getting at. Sometimes I over think these things.

phil.o 2-Dec-13 11:39am

Nice :)
You can come back here when/if you are stuck. But do not create another question, rather improve this one with the new version. Courage, and good luck :)

Computer Wiz99 2-Dec-13 11:41am

Ok. Thanks.

Computer Wiz99 2-Dec-13 12:28pm

I have tried to change the SqlCommand to SqlParameters but keep getting errors on the insertUser.Parameters.AddWithValue

phil.o 2-Dec-13 14:09pm

Which error ?

Computer Wiz99 · Accepted Answer · 2013-12-02T06:28:00

Ok. Here is my new code and it does work.

C#

protected void Page_Load(object sender, EventArgs e)
    {
        
        if (IsPostBack)
        {
            SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
            con.Open();
            string cmdStr = "Select count(*) from Tablepass where EmailAddress='" + TextBoxEA.Text + "'";
            string cmdStr2 = "Select count(*) from Table1 where EmailAddress='" + TextBoxEA.Text + "'";
            string cmdStr3 = "Select count(*) from Table2 where EmailAddress='" + TextBoxEA.Text + "'";
            SqlCommand userExist = new SqlCommand(cmdStr, con);
            SqlCommand userExist2 = new SqlCommand(cmdStr2, con);
            SqlCommand userExist3 = new SqlCommand(cmdStr3, con);
            SqlCommand cmd = new SqlCommand("select INST_ID, EmailAddress from Tablepass", con);
            SqlCommand cmd2 = new SqlCommand("select INST_ID, EmailAddress from Table1", con);
            SqlCommand cmd3 = new SqlCommand("select INST_ID, EmailAddress from Table2", con);
            userExist.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text);
            userExist.Parameters.AddWithValue("@Password", TextBoxPW.Text);
            userExist2.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text);
            userExist2.Parameters.AddWithValue("@Password", TextBoxPW.Text);
            userExist3.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text);
            userExist3.Parameters.AddWithValue("@Password", TextBoxPW.Text);
            int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());
            int temp2 = Convert.ToInt32(userExist2.ExecuteScalar().ToString());
            int temp3 = Convert.ToInt32(userExist3.ExecuteScalar().ToString());

            if (temp == 1)
            {
                ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('User Name Already Exist!!!');", true);
                TextBoxEA.Focus();
                TextBoxEA.Text = string.Empty;
            }
            else if (temp2 == 1)
            {
                
            }
            else if (temp3 == 1)
            {
                
            }
            else if (temp2 == 0)
            {
                ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('User Name Is Not Recognized by The System!!!');", true);
                TextBoxEA.Focus();
                TextBoxEA.Text = string.Empty;
                
            }
            else if (temp3 == 0)
            {
                ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('User Name Is Not Recognized by The System!!!');", true);
                TextBoxEA.Focus();
                TextBoxEA.Text = string.Empty;
                
            }
            con.Close();
        }
    }

    protected void Submit_Click(object sender, EventArgs e)
    {
        SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
        con.Open();

        string cmdStr = "Select INST_ID, accessLevel, EmailAddress from Table1 where EmailAddress='" + TextBoxEA.Text + "'";
        string cmdStr2 = "Select INST_ID, accessLevel, EmailAddress from Table2 where EmailAddress='" + TextBoxEA.Text + "'";
        string insCmd = "Insert into Tablepass (EmailAddress, Password, INST_ID, accessLevel) values (@EmailAddress, @Password, @INST_ID, @accessLevel)";
        string insCmd2 = "Insert into Tablepass (EmailAddress, Password, INST_ID, accessLevel) values (@EmailAddress, @Password, @INST_ID, @accessLevel)";

        SqlCommand insertUser = new SqlCommand(insCmd, con);
        SqlCommand insertUser2 = new SqlCommand(insCmd2, con);

        insertUser.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text);
        insertUser.Parameters.AddWithValue("@Password", TextBoxPW.Text);
        insertUser.Parameters.AddWithValue("@INST_ID", TextBoxINST_ID.Text);
        insertUser.Parameters.AddWithValue("@accessLevel", TextBoxaccessLevel.Text);

        insertUser2.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text);
        insertUser2.Parameters.AddWithValue("@Password", TextBoxPW.Text);
        insertUser2.Parameters.AddWithValue("@INST_ID", TextBoxINST_ID.Text);
        insertUser2.Parameters.AddWithValue("@accessLevel", TextBoxaccessLevel.Text);

        try
        {
            insertUser.ExecuteScalar();
            con.Close();
            Response.Redirect("Login.aspx");
        }
        catch (Exception er)
        {
            
        }
    }


    protected void TextBoxEA_TextChanged(object sender, EventArgs e)
    {
        using (SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString))
        {
            con.Open();

            SqlCommand scmd = new SqlCommand("Select INST_ID, EmailAddress, accessLevel from Table1 where EmailAddress = @TextBoxEA", con);
            SqlCommand scmd2 = new SqlCommand("Select INST_ID, EmailAddress, accessLevel from Table2 where EmailAddress = @TextBoxEA", con);

            scmd.Parameters.Add(new SqlParameter("@TextBoxEA", TextBoxEA.Text));
            scmd2.Parameters.Add(new SqlParameter("@TextBoxEA", TextBoxEA.Text));

            TextBoxINST_ID.Text = string.Empty;
            TextBoxaccessLevel.Text = string.Empty;

            using (SqlDataReader dr = scmd.ExecuteReader())
            {
                while (dr.Read())
                {
                    TextBoxINST_ID.Text = dr["INST_ID"].ToString();
                    TextBoxaccessLevel.Text = dr["accessLevel"].ToString();
                }
            }

            using (SqlDataReader dr2 = scmd2.ExecuteReader())
            {
                while (dr2.Read())
                {
                    TextBoxINST_ID.Text = dr2["INST_ID"].ToString();
                    TextBoxaccessLevel.Text = dr2["accessLevel"].ToString();
                }
            }