My User Name Is Not Recognized by The System is not firing. Why?

Question

1.00/5 (1 vote)

See more:

I have a form setup to where a user can enter their username and create a password to login. When a user enters an invalid username and password the error message should fire but it doesn't. It was working before and I didn't change anything. What is my issue?

C#

protected void Submit_Click(object sender, EventArgs e)
    {
        SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
        con.Open();

        string cmdStr = "Select INST_ID, accessLevel, EmailAddress from Table1 where EmailAddress='" + TextBoxEA.Text + "'";
        string cmdStr2 = "Select INST_ID, accessLevel, EmailAddress from Table2 where EmailAddress='" + TextBoxEA.Text + "'";
        string insCmd = "Insert into Tablepass (EmailAddress, Password, INST_ID, accessLevel) values (@EmailAddress, @Password, @INST_ID, @accessLevel)";
        string insCmd2 = "Insert into Tablepass (EmailAddress, Password, INST_ID, accessLevel) values (@EmailAddress, @Password, @INST_ID, @accessLevel)";

        SqlCommand insertUser = new SqlCommand(insCmd, con);
        SqlCommand insertUser2 = new SqlCommand(insCmd2, con);

        insertUser.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text);
        insertUser.Parameters.AddWithValue("@Password", TextBoxPW.Text);
        insertUser.Parameters.AddWithValue("@INST_ID", TextBoxINST_ID.Text);
        insertUser.Parameters.AddWithValue("@accessLevel", TextBoxaccessLevel.Text);

        try
        {
            insertUser.ExecuteNonQuery();
            con.Close();
            Response.Redirect("Login.aspx");
        }
        catch (Exception er)
        {
            ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('User Name Is Not Recognized by The System!!!');", true);
            
        }
        finally
        {
        }
    }

    protected void TextBoxEA_TextChanged(object sender, EventArgs e)
    {

        using (SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString))
        {
            con.Open();

            SqlCommand scmd = new SqlCommand("Select INST_ID, EmailAddress, accessLevel from Table1 where EmailAddress = @TextBoxEA", con);
            SqlCommand scmd2 = new SqlCommand("Select INST_ID, EmailAddress, accessLevel from Table2 where EmailAddress = @TextBoxEA", con);

            scmd.Parameters.Add(new SqlParameter("@TextBoxEA", TextBoxEA.Text));
            scmd2.Parameters.Add(new SqlParameter("@TextBoxEA", TextBoxEA.Text));

            TextBoxINST_ID.Text = string.Empty;
            TextBoxaccessLevel.Text = string.Empty;

            using (SqlDataReader dr = scmd.ExecuteReader())
            {
                while (dr.Read())
                {
                    TextBoxINST_ID.Text = dr["INST_ID"].ToString();
                    TextBoxaccessLevel.Text = dr["accessLevel"].ToString();
                    
                }
            }

            using (SqlDataReader dr2 = scmd2.ExecuteReader())
            {
                while (dr2.Read())
                {
                    TextBoxINST_ID.Text = dr2["INST_ID"].ToString();
                    TextBoxaccessLevel.Text = dr2["accessLevel"].ToString();
                    
                }
            }

            }
        }
    }

Posted 26-Nov-13 5:47am

Computer Wiz99

Add a Solution

Comments

Richard C Bishop 26-Nov-13 11:55am

First off, you are not using the parameterized query correctly in your first SELECT statements. However, you are not using those Select statement strings, so why are they even there? You are still susceptible to SQL injection in your Submit_Click event handler. Also, you are using the try catch incorrectly. The catch will only run the code in it if the try throws an exception.

The only sql statement you are executing is the first declared insert statement. So that is not checking the entry from the user, but it only returns the number of rows affected.

See my solution below to accomplish the task you are attempting.

Computer Wiz99 26-Nov-13 11:59am

Ok. I don't see the solution yet.

Richard C Bishop 26-Nov-13 12:01pm

Sorry, give me a minute.

Computer Wiz99 26-Nov-13 12:02pm

Ok.

Computer Wiz99 26-Nov-13 14:59pm

Ok. I have tested and tested and the error will not display when a user clicks on submit when the username is not in the database. Right now a user can enter a username that is not in the database with a password and login to the site but it will redirect them to an error page that has been setup. I want it to display an error when they click on submit if the username is not in the database. Right now I can enter a dummy username and password and click on submit. It takes me back to the login page. The dummy username and password are saved into the database. This I do not want.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard C Bishop · Accepted Answer · 2013-11-26T06:18:00

See comments to question above.

It is not wise to store your passwords in a database. See this article for an explanation.[^]
Below is a simple way to achieve your goal and is just a model for the logic and not the ideal way to do this.

protected void Submit_Click(object sender, EventArgs e)
    {
       try
        {
        SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
        
 
        string cmdStr = "Select INST_ID, accessLevel, EmailAddress from Table1 where EmailAddress=@EmailAddress and Password=@Password";
       
SqlCommand CheckUser = new SqlCommand(cmdStr, con);
 
        CheckUser.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text);
        CheckUser.Parameters.AddWithValue("@Password", TextBoxPW.Text);

        con.Open();
        SqlDataReader reader = CheckUser.ExecuteReader();

        DataTable dt1 = new DataTable();
        dt1.Load(reader);
        if (dt1.Rows.Count >= 1)
        {
            Response.Redirect("Login.aspx");      
        }
        else
        {
            ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert  (''User Name Is Not Recognized by The System!!!');", true);
        }
        catch (Exception ex)
        {
            //do whatever
            
        }
        finally
        {
            con.Close();
        }
    }