I'm trying to run through the database table and match txtUserName and txtPassword to values currently in the database. If they match redirect them to the members only page. If the password doesn't match display "Invalid UserName or Password!". If the username is not found then redirect them to the register page.

The problem is when the username doesn't exist it does nothing when it's supposed to redirect to the register page.

Function DBAuthenticate(ByVal strUsername As String, ByVal strPassword As String) As Integer
        Dim intResult As Integer

        Dim strConn As String = ConfigurationSettings.AppSettings("membs")
        Dim objConn As New OleDbConnection(strConn)
Dim strSQL As String = "SELECT password, username FROM members" & _
            "WHERE (password= '" & strUsername & "');"

        Dim objAdapter As New OleDbDataAdapter(strSQL, objConn)
        Dim objDataSet As New DataSet

        objAdapter.Fill(objDataSet, "dtMembers")
        objConn.Close()

        Dim r As DataRow
        For Each r In objDataSet.Tables("dtNews").Rows
            If r("password") = strPassword And r("username") = strUsername Then
                intResult = 1
            Else
                intResult = -1
            End If
        Next
        If intResult < 0 Then
            lblMessage.Text = "Invalid UserName or Password!"
        End If
        Return intResult
    End Function

Where's your Response.Redirect()?

<sidenote>
Many people recommend not telling the user that the password is bad (explicitly or implicitly telling them that the username is good). This encourages attempts to guess the password for a known good users. Usually you'd display an error like "No valid login for the username and password combination you entered could not be found." This provides useful but not disclosing feedback.
</sidenote>

Peter
------------------------------------------------------
Work smarter, not harder.

I haven't added it in there yet. I was trying to get it to work first by displaying Invalid Username or Password.

Ok, so what's the question then?

Peter
------------------------------------------------------
Work smarter, not harder.

Oh, I just noticed something....

Dim strSQL As String = "SELECT password, username FROM members" & _
            "WHERE (password= '" & strUsername & "');"

shouldn't this be the username field?

Dim strSQL As String = "SELECT password, username FROM members" & _
            "WHERE (username= '" & strUsername & "');"

The problem is when the username doesn't exist it does nothing when it's supposed to redirect to the register page.

It should as of now display Invalid UserName or Password if no username can be found.

Well, how can it redirect if you aren't telling it to redirect?

Sorry that was a typo. It reads the way you pointed out.

Should I have 2 sql statements and datasets to check for password in one and username in the other?

How about this...

Function DBAuthenticate(ByVal strUsername As String, ByVal strPassword As String) As Boolean
    Dim bResult As Boolean = False
    Dim objConn As New OleDbConnection(ConfigurationSettings.AppSettings( "membs"))
    Dim strSQL As String
    Dim strGoodPassword As String
    Dim objCommand As New OleDbCommand

    objCommand.Connection = objConn
    strSQL = String.Format("SELECT password FROM members WHERE (username='{0}');", strUsername)
    objCommand.CommandText = strSQL
    objCommand.CommandType = CommandType.Text

    objConn.Open()
    strGoodPassword = CType(objCommand.ExecuteScalar, String)
    objConn.Close()

    If Not strGoodPassword Is Nothing Then
        'Good user
        If strGoodPassword = strPassword Then
            bResult = True
        Else
            'bad password
            lblMessage.Text = "Invalid UserName or Password!"
        End If
    Else
        'No user, redirect to registration page
        Response.Redirect("register.aspx", False)
    End If

    Return bResult
End Function

Peter
------------------------------------------------------
Work smarter, not harder.