My login is allowing for anyone to login

Question

2.71/5 (3 votes)

See more:

Hello. I have a login page and it has two buttons. The Submit button takes the username and password and puts it in a security table. The login button takes the stored data from the security
table and lets the user login. I also have two tables that has the data record for all the users. How can I check to see if the user exists within those two tables in a single string in asp.net?

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;

public partial class Login : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        if (IsPostBack)
        {
            SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["PassConnectionString"].ConnectionString);
            con.Open();

            string cmdStr = "Select count(*) from TableSecurity where EmailAddress='" + TextBoxEA.Text + "'";
            string cmdStr2 = "Select count(*) from TableCEO where EmailAddress ='" + TextBoxEA.Text + "'";
            string cmdStr3 = "Select count(*) from TableIALO where EmailAddress ='" + TextBoxEA.Text + "'";
            SqlCommand userExist = new SqlCommand(cmdStr, con);
            SqlCommand cmd = new SqlCommand("select * from TableSecurity", con);
            SqlCommand cmd2 = new SqlCommand("select * from TableCEO", con);
            SqlCommand cmd3 = new SqlCommand("select * from TableIALO", con);
            int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());
            if (temp == 1)

                Response.Write("User Name Already Exist!!!<br /> Please Choose Another User Name.");
        }
    
    }

    
    protected void Submit_Click(object sender, EventArgs e)
    {

        SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["PassConnectionString"].ConnectionString);
        con.Open();

        string chkUser = "select count(*) from TableCEO where EmailAddress'" + TextBoxEA.Text +"";
            chkUser = "select count(*) from TableIALO where EmailAddress'" + TextBoxPW.Text + "";
            SqlCommand chkUsercmd = new SqlCommand(chkUser, con);
            

        string insCmd = "Insert into TableSecurity (EmailAddress, Password) values (@EmailAddress, @Password)";
        SqlCommand insertUser = new SqlCommand(insCmd, con);
        insertUser.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text);
        insertUser.Parameters.AddWithValue("@Password", TextBoxPW.Text);
        

        try
        {
            insertUser.ExecuteNonQuery();
            con.Close();
            Response.Redirect("Login.aspx");
        }
        catch (Exception er)
        {
            Response.Write("Something Really Bad Has Happened....Please Try Again.");
        }
        finally
        {
        }
        }

    
    protected void Button1_Click(object sender, EventArgs e)
    {

        SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["PassConnectionString"].ConnectionString);
        con.Open();

        string cmdStr = "select count(*) from TableCEO where EmailAddress= '" + TextBoxEA.Text + "'";
        SqlCommand Checkuser = new SqlCommand(cmdStr, con);
        int temp = Convert.ToInt32(Checkuser.ExecuteScalar().ToString());
        if (temp == 1)
        {
            string cmdStr2 = "select Password from TableSecurity where Password = '" + TextBoxPW.Text + "'";
            SqlCommand pass = new SqlCommand(cmdStr2, con);
            string password = pass.ExecuteScalar().ToString();
            con.Close();

            if(password == TextBoxPW.Text)
            {
                Session["New"] = TextBoxEA.Text;
                Response.Redirect("Secure.aspx");
            }
            else
            {
                Label1.Visible = true;
                Label1.Text = "Invalid Password...!!";
            }
        }
            else
            {
                Label1.Visible = true;
                Label1.Text = "Invalid EmailAddress...!!";
        }
    }
}

Posted 30-Apr-13 9:11am

Computer Wiz99

Updated 30-Apr-13 9:42am

Richard C Bishop

v3

Add a Solution

Comments

Richard C Bishop 30-Apr-13 15:22pm

You can use an inner join when querying the tables. That will allow you check both tables I believe.

Computer Wiz99 30-Apr-13 15:33pm

Can you show me what the inner join code looks like?

Richard C Bishop 30-Apr-13 15:36pm

Here is a generic select statement with an inner join. You will have to modify to fit your needs:

SELECT column_name(s)
FROM table_name1
INNER JOIN table_name2
ON table_name1.column_name=table_name2.column_name

Computer Wiz99 30-Apr-13 15:38pm

Ok. Thanks. Can I put this in ASP.Net using C#? Where will I put this statement?

Computer Wiz99 30-Apr-13 15:38pm

Here is the code I updated.

Richard C Bishop 30-Apr-13 15:41pm

You would put that code in the place where you want to check both tables for the user existing. You will have to determine that, I cannot tell you.

Richard C Bishop 30-Apr-13 15:42pm

Another thing, you are leaving yourself open for SQL injection attacks. I would recommend using paramterized queries to thwart this issue.

Sandeep Mewara 30-Apr-13 15:43pm

Why such design or implementation?

jkirkerx 30-Apr-13 15:53pm

It's the OP with the sitemap question earlier that Sergey answered, that has the same masterpage foe CEO and other user.

Sandeep Mewara 30-Apr-13 16:03pm

Ok. I will look at that question, for now, it's odd implementation. Having same master page for two roles - ok, handle that in UI... why login data in two tables?

jkirkerx 30-Apr-13 16:56pm

Maybe one is for backend and the other for the frontend

Thanks7872 1-May-13 0:28am

Why such implementation?what is difference security table and two tables that has the data record for all the users?Why you have two buttons Submit and Login?

Computer Wiz99 1-May-13 8:05am

I did that to see where my code was the hangup. At first I had one button to handle all functions. Is there a better way of doing it? The security table stores the username, password and roles for each user snd for the user when they come back to the site later on.

Thanks7872 1-May-13 8:10am

At the end of the day,i want to explain you simple thing.Have one page with 5 controls.two textboxes(username,password),one button for login,one link for password recovery and one link for sign up.when user enters username and password and clicks login button check for existance of that user in database and if it do,redirect it based on the role column.if dont,throw error msg the way you want.Further,if new user arrives,he can click on sign up.If user lost her password,she can follow password recovery link.Thats all about logins.

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)