我的登录始终成功，无论用户名或密码正确/错误

Question

The login form is using the patient table to login. Whether I type in correct or wrong username/password it always redirect me to the home page which is index.aspx which means sucessful. For my below code, I select patientID too because I would like to store the patientID in a session.

Answer 1

an integer in c# is never null. it can be 0 though.

int id = Convert.ToInt32(cmd.ExecuteScalar());

id will be 0 in case of no record found so this condition

if (id != null)

will always be true.check if id is not 0 like this

if (id <= 0)

Answer 2

Problem : you need to understand that Valu types will never hold null . so checking id against null will always retur true hence you are able to login into system in all conditions.

Solution : you should have a mechanism where you can identify the actual value of the ExecuteScalar() . it will return null if incase there are no records.but it wont be converted to int as null so you should first check for null against ExecuteScalar() retur value and then if it is not null convert that into integer otherwise assign zero.

Try This:

        int id =(cmd.ExecuteScalar()!=null)?Convert.ToInt32(cmd.ExecuteScalar()):0;
        if (id > 0)
        {
            Session.Add("ID", id);
            Session.Add("pUsername", txtUserName.Text);
            Session.Add("pPassword", txtPassword.Text);
            FormsAuthentication.SetAuthCookie(txtUserName.Text, true);
            Response.Redirect("index.aspx");
        }

EDIT: Your system allows Empty UserName and Empty Password as Valid credentials as you you have Id 5 with empty UserName and Password in above table. so add UserName and Password for userId 5 so that it wont allow empty username and password.

Answer 3

_{Disclaimer: This won't fix your issue, but it's too long to leave as comment and important enough to what you're doing I felt justified providing it as an answer.}

---

The code below is really, really bad:

cmd.CommandText = "SELECT patientID, pUsername, pPassword FROM patient WHERE pUsername='" + user + "' AND pPassword='" + pwd + "'  ";

You MUST do it this way instead:

cmd.CommandText = "SELECT patientID, pUsername, pPassword FROM patient WHERE pUsername= @user and pPassword= @password;"
cmd.Parameters.Add("@user", SqlDbType.NVarChar, 16).Value = user;
cmd.Parameters.Add("@password", SqlDbType.NVarChar, 200).Value = pwd;

You must use Parameters anywhere you substitute user data into a query. No Exceptions . Anything else WILL result in your app being hacked... probably sooner rather than later.

Additionally, it looks like you're storing passwords in plain text. That's nearly as bad as not using parameters. The correct way to store passwords is to prepend a per-user salt to the password and then store a cryptographicly secure hash (bcrypt or scrypt) of the result. When authenticating a user, you perform the same steps on the attempted password and compare the hash values, not the password directly.

Really, you should not be writing authentication code at all. Authentication is one of those things where it's easy to build something that seems to work... passes all your tests... but in the end is fundamentally flawed in a subtle way that results in you finding out a year later that you were pwned six months ago. The best course is to always lean as much as possible on the authentication features provided by your platform of choice. In the case of ASP.Net, that means learning and using the Membership provider features.