asp.net Login database

Question

Hi im having a problem when trying to get my website to log in. I want it to display the appropriate message when I log in but I keep getting the same message "Email is not correct " Would anyone be able to help me this ?

protected void loginbutton_Click(object sender, EventArgs e)
        {
            SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["RegConnectionString"].ConnectionString);
            con.Open();
            string checkuser = "select count(*) from Users where email =' " + loginemail.Text + "'";
            SqlCommand com = new SqlCommand(checkuser, con);
            int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
            con.Close();
            if (temp == 1)
            {
                con.Open();
                string checkPasswordQuery = "select password from Users where email = '" + loginemail.Text + "'";
                SqlCommand pass = new SqlCommand(checkPasswordQuery, con);
                string password = pass.ExecuteScalar().ToString();
                if (password == loginpassword.Text)
                {
                    Session["New"] = loginemail.Text;
                    Response.Write("Password is Correct");
                    Response.Redirect("Admin.aspx"); 

                }
                else
                {
                    Response.Write("Password is not correct");

                }
            }
            else
            {
                Response.Write("Email is not Correct"); 
            }


        }

Answer 1

There is an space next to your email:

where email =' " + log... 

To highlight it:

where email ='[here there is an empty space] " + log...

I think this is what needs to change:

 string checkuser = "select count(*) from Users where email ='" + loginemail.Text + "'";

Answer 2

First of all, your code is prone to SQL Injection attack. Instead, use parameterized query.

Second, you do not need to use two SELECT statements.

Note : you should never say which one is not correct due to security reason. Instead, you want to display Invalid email or password .

In addition, you should never store plain password. Instead, you want to store Password in Hashed Format with Salt . Look at ASP.NET Universal Provider or ASP.Net Identity .

protected void Loginbutton_Click(object sender, EventArgs e)
{
    string connectionString = ConfigurationManager.ConnectionStrings["RegConnectionString"].ConnectionString;

    using (var conn = new SqlConnection(connectionString))
    {
        var cmd = new SqlCommand("SELECT COUNT(*) FROM Users WHERE Email=@Email AND Password=@Password",
            conn);

        cmd.CommandType = CommandType.Text;
        cmd.Parameters.Add("@Email", loginemail.Text);
        cmd.Parameters.Add("@Password", loginpassword.Text);

        conn.Open();
        int temp = Convert.ToInt32(cmd.ExecuteScalar());
    }
}