Wrox Programmer Forums
| Search | Today's Posts | Mark Forums Read
ASP.NET 2.0 Professional If you are an experienced ASP.NET programmer, this is the forum for your 2.0 questions. Please also see the Visual Web Developer 2005 forum.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the ASP.NET 2.0 Professional section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old August 9th, 2006, 06:42 AM
Authorized User
 
Join Date: Aug 2006
Location: Mostar, HNK, Bosnia and Herzegovina.
Posts: 14
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to hcusto
Default Validating users

I have a form with Username and Password Field.
Also in my Tbl_Users table, I have stored username and password for users in Username, Password columns.

What i want to do now is, when somone enter username and password to go to table (I am using SQLExpres db.) check is there user with provided password and if there is user to create Session "USER" with USER_ID (which I get from Tbl_Users table, column UserID)

I am using C#

Thanks in advance

 
Old August 9th, 2006, 07:34 AM
Authorized User
 
Join Date: Aug 2006
Location: Mostar, HNK, Bosnia and Herzegovina.
Posts: 14
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to hcusto
Default

I ha solve this one, and here is how.

Code:
        SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["testnaConnectionString"].ConnectionString);
        conn.Open();
        SqlCommand com = new SqlCommand("SELECT UserID, Username, Password FROM tblUsers WHERE Username = '" + TextBox1.Text + "' AND Password = '" + TextBox2.Text + "'", conn);
        DataTable tbl = new DataTable();

        tbl.Load(com.ExecuteReader(CommandBehavior.CloseConnection));
        if (tbl.Rows.Count > 0)
        {
            Session["UserID"] = tbl.Rows[0]["UserID"].ToString();
        }


It's works for me, bu if I have done something wrong pls write.


 
Old August 10th, 2006, 01:43 AM
Imar's Avatar
Wrox Author
Points: 70,322, Level: 100
Points: 70,322, Level: 100 Points: 70,322, Level: 100 Points: 70,322, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

Yeah, it has something wrong with it... It's pretty open to SQL injection.

Whenever a user enters a name like this:

Name: ' OR 1=1 --
Password:

you end up with this query:

SELECT UserID, Username, Password FROM tblUsers WHERE Username = '' OR 1=1 --' AND Password = '" + TextBox2.Text

which means the user can log in with the first available account which is often the admin becuase it's the account you create first.

You may want to Google a bit for SQL injection and read this whitepaper:
http://www.nextgenss.com/papers/adva..._injection.pdf

Cheers,

Imar

---------------------------------------
Imar Spaanjaars
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post.
 
Old August 10th, 2006, 03:25 AM
Authorized User
 
Join Date: Aug 2006
Location: Mostar, HNK, Bosnia and Herzegovina.
Posts: 14
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to hcusto
Default

Thnx Imar

I will read it.





Similar Threads
Thread Thread Starter Forum Replies Last Post
datagridview validating heathweiss Pro Visual Basic 2005 0 September 18th, 2007 07:01 PM
validating emails.... muskaanbajaj ASP.NET 1.0 and 1.1 Basics 3 October 13th, 2005 05:37 AM
Validating a filespec levinll VB How-To 1 October 27th, 2004 10:26 AM
Validating users rboyle General .NET 1 March 16th, 2004 01:00 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.