Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > ASP.NET and ASP > ASP.NET 2.0 > ASP.NET 2.0 Professional
Password Reminder
Register
| FAQ | Members List | Search | Today's Posts | Mark Forums Read
ASP.NET 2.0 Professional If you are an experienced ASP.NET programmer, this is the forum for your 2.0 questions. Please also see the Visual Web Developer 2005 forum.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the ASP.NET 2.0 Professional section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
 
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old August 9th, 2006, 06:42 AM
Authorized User
 
Join Date: Aug 2006
Location: Mostar, HNK, Bosnia and Herzegovina.
Posts: 14
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to hcusto
Default Validating users

I have a form with Username and Password Field.
Also in my Tbl_Users table, I have stored username and password for users in Username, Password columns.

What i want to do now is, when somone enter username and password to go to table (I am using SQLExpres db.) check is there user with provided password and if there is user to create Session "USER" with USER_ID (which I get from Tbl_Users table, column UserID)

I am using C#

Thanks in advance

  #2 (permalink)  
Old August 9th, 2006, 07:34 AM
Authorized User
 
Join Date: Aug 2006
Location: Mostar, HNK, Bosnia and Herzegovina.
Posts: 14
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to hcusto
Default

I ha solve this one, and here is how.

Code:
        SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["testnaConnectionString"].ConnectionString);
        conn.Open();
        SqlCommand com = new SqlCommand("SELECT UserID, Username, Password FROM tblUsers WHERE Username = '" + TextBox1.Text + "' AND Password = '" + TextBox2.Text + "'", conn);
        DataTable tbl = new DataTable();

        tbl.Load(com.ExecuteReader(CommandBehavior.CloseConnection));
        if (tbl.Rows.Count > 0)
        {
            Session["UserID"] = tbl.Rows[0]["UserID"].ToString();
        }


It's works for me, bu if I have done something wrong pls write.


  #3 (permalink)  
Old August 10th, 2006, 01:43 AM
Imar's Avatar
Wrox Author
Points: 72,073, Level: 100
Points: 72,073, Level: 100 Points: 72,073, Level: 100 Points: 72,073, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

Yeah, it has something wrong with it... It's pretty open to SQL injection.

Whenever a user enters a name like this:

Name: ' OR 1=1 --
Password:

you end up with this query:

SELECT UserID, Username, Password FROM tblUsers WHERE Username = '' OR 1=1 --' AND Password = '" + TextBox2.Text

which means the user can log in with the first available account which is often the admin becuase it's the account you create first.

You may want to Google a bit for SQL injection and read this whitepaper:
http://www.nextgenss.com/papers/adva..._injection.pdf

Cheers,

Imar

---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.
  #4 (permalink)  
Old August 10th, 2006, 03:25 AM
Authorized User
 
Join Date: Aug 2006
Location: Mostar, HNK, Bosnia and Herzegovina.
Posts: 14
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to hcusto
Default

Thnx Imar

I will read it.

 


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
datagridview validating heathweiss Pro Visual Basic 2005 0 September 18th, 2007 07:01 PM
validating emails.... muskaanbajaj ASP.NET 1.0 and 1.1 Basics 3 October 13th, 2005 05:37 AM
Validating a filespec levinll VB How-To 1 October 27th, 2004 10:26 AM
Validating users rboyle General .NET 1 March 16th, 2004 01:00 PM



All times are GMT -4. The time now is 08:26 AM.


Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.