使用 asp.net 和 SQL Server 的登录屏幕

Question

I am trying to create a login page but but my Login button does not work. I am selecting username and password from my sql server database.

Unfortunately, I get an error

System.Data.SqlClient.SqlException: Incorrect syntax near ''

on line 27:

int temp = Convert.ToInt32(com.ExecuteScalar().ToString());

Code below:

SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["connect"].ConnectionString);
con.Open();

string checkuser = "select * from tb_Login where Username='" + txtUsername.Text + "' and Password='" + txtPassword.Text + "' ";

SqlCommand com = new SqlCommand(checkuser, con);

int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
con.Close();

if (temp == 1)
{
    con.Open();
    string checkPass = "select Password from tb_Login where Username='" + txtUsername.Text + "'";

    SqlCommand passCom = new SqlCommand(checkPass, con);
    string password = passCom.ExecuteScalar().ToString().Replace(" ", "");

    if (password == txtPassword.Text)
    {
        Session["New"] = txtUsername.Text;
        Response.Write("Correct");
    }
    else
    {
        Response.Write("Not Correct");
    }
}
else
{
    Response.Write("Username not correct");
}

Answer 1

This line of code:

string checkuser = "select * from tb_Login where Username='" + txtUsername.Text + "' and Password='" + txtPassword.Text + "' ";

Is sending a query to the database and asking: "Give me all the columns from tb_Login whose UserName is the value in the txtUsername box and the Password is in the txtPassword box."

Then this line will take the value of the first column of the first row and try to convert it to an integer and if it cannot it will fail:

int temp = Convert.ToInt32(com.ExecuteScalar().ToString());

Change your query to select one column only: the column you need.

Also make sure you read this question on Stack Overflow so you can see how your code is a security threat to your own application.