invalid login message appears ........but no error in the programe.

Question

0.00/5 (No votes)

See more:

this is the store procedure for this prog.

SQL

CREATE Proc [dbo].[Log_prcLog]
	(
	@Username  varchar (50),
	@UPassword varchar (50),
	@OutRes int OUTPUT
	)

AS
set @OutRes = (select COUNT (*) from [dbo].Log_Users
where Username = @Username and [Password]= @Upassword)
if (@OutRes = 1 )

BEGIN
	
	set @OutRes = 1 --Login is Correct
	end 
	else
	begin
	set @OutRes = 0 -- Bad Login
    
	
end

VB.Net code

VB

Imports System.Data.SqlClient
Public Class login11
    Inherits System.Web.UI.Page
    Public Function Validate_Login(ByVal Username As String, ByVal Password As String) As Integer

        Dim con As SqlConnection = New SqlConnection("Data Source=andy\sqlexpress;Initial Catalog=tink;Integrated Security=True")
        Dim cmdselect As SqlCommand = New SqlCommand()
        cmdselect.CommandType = CommandType.StoredProcedure
        cmdselect.CommandText = "[dbo].[prcLog]"
        cmdselect.Parameters.Add("@Username", SqlDbType.VarChar, 50).Value = Username
        cmdselect.Parameters.Add("@UPassword", SqlDbType.VarChar, 50).Value = Password
        cmdselect.Parameters.Add("@OutRes", SqlDbType.Int, 4)
        cmdselect.Parameters("@OutRes").Direction = ParameterDirection.Output
        cmdselect.Connection = con
        Dim Results As Integer = 0
        Try
            con.Open()
            cmdselect.ExecuteNonQuery()
            Results = CType(cmdselect.Parameters("@OutRes").Value, Integer)
        Catch ex As SqlException
            lblMessage.Text = ex.Message
        Finally
            cmdselect.Dispose()
            If Not con Is Nothing Then
                con.Close()
            End If
        End Try
        Return Results
    End Function
   
    Protected Sub btnlogin_Click(sender As Object, e As EventArgs)
        Dim Results As Integer = 0
        If txtUsername.Text <> String.Empty AndAlso txtPassword.Text <> String.Empty Then
            Results = Validate_Login(txtUsername.Text.Trim(), txtPassword.Text.Trim())
            If Results = 1 Then
                lblMessage.Text = "Login is Good, Send the User to another page or enable controls"
            Else
                lblMessage.Text = "Invalid Login"
                lblMessage.ForeColor = System.Drawing.Color.Red
                'Dont Give too much information this might tell a hacker what is wrong in the login
            End If
        Else
            lblMessage.Text = "Please make sure that the username and the password is Correct"
        End If

    End Sub
End Class

Posted 11-Jun-12 23:21pm

nicky_008

Updated 11-Jun-12 23:35pm

tanweer

v2

Add a Solution

3 solutions

Solution 1

have you got the username/pwd combo more than once in your DB?

you should do an EXISTS check, rather than a COUNT (which would make your IF redundant), and your username should be a unique index

Posted 11-Jun-12 23:43pm

barneyman

Comments

nicky_008 12-Jun-12 6:04am

yeah ...i have more than one usename and passwords.

barneyman 12-Jun-12 6:08am

i was less than explicit - if you have (for example) fred/password1234 more than once in your user DB, your count check will return >1 which will cause you to fail your stored procedure ...

Given that your description of the problem you were experiencing was not precise, that's the first problem I identified

Solution 2

There are so many things there it's difficult to know where to begin...

Congratulations on using Paramaterised queries! You got that right - well done.

But...
Parameters.Add was depreciated many years ago in favour of AddWithValue:

SQL

cmdselect.Parameters.AddWithValue("@Username", Username)

Why are you faffing about with an output parameter, (or even a stored procedure) when all you are interested in is a number?

SQL

SELECT COUNT(*) FROM Log_Users WHERE Username = @Username AND [Password]= @Upassword)

and call ExecuteScalar which will return you the number of matching records as an integer directly.

And the big one: Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^] (it's in C#, but it's easy to understand and translate)

Posted 11-Jun-12 23:51pm

OriginalGriff

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Rajneesh Yaduvanshi · Accepted Answer · 2012-06-12T00:01:00

Hi Please try this

ALTER Proc [dbo].[Log_prcLog]
(
@Username varchar (50),
@UPassword varchar (50),
@OutRes int OUTPUT
)

AS
set @OutRes = (select COUNT (*) from [dbo].Log_Users
where Username = @Username and [Password]= @Upassword)
if (@OutRes >0 )

BEGIN

set @OutRes = 1 --Login is Correct
end
else
begin
set @OutRes = 0 -- Bad Login

end