Hi im having a problem when trying to get my website to log in. I want it to display the appropriate message when I log in but I keep getting the same message "Email is not correct " Would anyone be able to help me this ?
protected void loginbutton_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["RegConnectionString"].ConnectionString);
con.Open();
string checkuser = "select count(*) from Users where email =' " + loginemail.Text + "'";
SqlCommand com = new SqlCommand(checkuser, con);
int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
con.Close();
if (temp == 1)
{
con.Open();
string checkPasswordQuery = "select password from Users where email = '" + loginemail.Text + "'";
SqlCommand pass = new SqlCommand(checkPasswordQuery, con);
string password = pass.ExecuteScalar().ToString();
if (password == loginpassword.Text)
{
Session["New"] = loginemail.Text;
Response.Write("Password is Correct");
Response.Redirect("Admin.aspx");
}
else
{
Response.Write("Password is not correct");
}
}
else
{
Response.Write("Email is not Correct");
}
}
There is an space next to your email:
where email =' " + log...
To highlight it:
where email ='[here there is an empty space] " + log...
I think this is what needs to change:
string checkuser = "select count(*) from Users where email ='" + loginemail.Text + "'";
First of all, your code is prone to SQL Injection attack. Instead, use parameterized query.
Second, you do not need to use two SELECT statements.
Note : you should never say which one is not correct due to security reason. Instead, you want to display Invalid email or password .
In addition, you should never store plain password. Instead, you want to store Password in Hashed Format with Salt . Look at ASP.NET Universal Provider or ASP.Net Identity .
protected void Loginbutton_Click(object sender, EventArgs e)
{
string connectionString = ConfigurationManager.ConnectionStrings["RegConnectionString"].ConnectionString;
using (var conn = new SqlConnection(connectionString))
{
var cmd = new SqlCommand("SELECT COUNT(*) FROM Users WHERE Email=@Email AND Password=@Password",
conn);
cmd.CommandType = CommandType.Text;
cmd.Parameters.Add("@Email", loginemail.Text);
cmd.Parameters.Add("@Password", loginpassword.Text);
conn.Open();
int temp = Convert.ToInt32(cmd.ExecuteScalar());
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.