Publish asp net website on server using IIS

Question

I have created a website .It is a logon page and it works fine on Debug,But when I deploy it on server I got an strange error.When I click on login I got this error:

     Invalid column name 'aa'.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Invalid column name 'aa'.

Source Error:


Line 33: 
Line 34:                 DataSet ds = new DataSet();
Line 35:                 dataAdapter.Fill(ds);
Line 36:                 DataTable dt = ds.Tables[0];
Line 37: 


Source File: c:\inetpub\wwwroot\login.aspx.cs    Line: 35

Stack Trace:


[SqlException (0x80131904): Invalid column name 'aa'.]
   System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) +388
   System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) +717
   System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady) +4515
   System.Data.SqlClient.SqlDataReader.TryConsumeMetaData() +61
   System.Data.SqlClient.SqlDataReader.get_MetaData() +134
   System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) +6557689
   System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean asyncWrite, SqlDataReader ds) +6560327
   System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource`1 completion, Int32 timeout, Task& task, Boolean asyncWrite) +586
   System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) +104
   System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method) +288
   System.Data.SqlClient.SqlCommand.ExecuteDbDataReader(CommandBehavior behavior) +171
   System.Data.Common.DbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior) +15
   System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) +325
   System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) +420
   System.Data.Common.DbDataAdapter.Fill(DataSet dataSet) +275
   login.ValidateUser(Object sender, EventArgs e) in c:\inetpub\wwwroot\login.aspx.cs:35
   System.Web.UI.WebControls.Login.AttemptLogin() +160
   System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) +93
   System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) +84
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3804


Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.342

As I expecte it must saty wrong login but it trows this error.here is my code:

 protected void ValidateUser(object sender, EventArgs e)
{
    int userId = 0;
    string constr = ConfigurationManager.ConnectionStrings["constr"].ConnectionString;
    using (SqlConnection con = new SqlConnection(constr))
    {
        string query = "SELECT [OBJECTID] from dbo.OWNER where [owner_id]=" + Login1.UserName;
        using (SqlDataAdapter dataAdapter = new SqlDataAdapter(query, con))
        {

            con.Open();


            SqlCommandBuilder commandBuilder = new SqlCommandBuilder(dataAdapter);


            DataSet ds = new DataSet();
            dataAdapter.Fill(ds);
            DataTable dt = ds.Tables[0];

            userId = Convert.ToInt32(dt.Rows[0][0]);
            if (userId.ToString() != Login1.Password)
            {
                userId = -1;

            }
            con.Close();
        }
        switch (userId)
        {
            case -1:
                Login1.FailureText = "نام کاربری یا کلمه عبور صحیح نیست";
                break;
            case 0:
                Login1.FailureText = "نام کاربری یا کلمه عبور صحیح نیست";
                break;
            case -2:
                //Login1.FailureText = "Account has not been activated.";
                break;
            default:
                FormsAuthentication.RedirectFromLoginPage(Login1.UserName, Login1.RememberMeSet);
                break;
        }
    }

and here is database connection in web.config file:

    <connectionStrings>
    <add name="constr" connectionString="Data Source=XXX.xxx.xxx.xxx\sqlexpress;Initial Catalog=land_gis;Persist Security Info=True;User ID=Land;Password=password"/>

Do you think problem is with database connection?I can run on my debug with this connection without problem but when I copy them to wwwroot it makes probelm.Do I should add database to IIS or sth like that?

thank you very much for your helps

Answer 1

Unless Login1.UserName is a number, this isn't going to work in dev either. Your query is not parameterized properly, and you don't have quotes, so the query will read SELECT [OBJECTID] from dbo.OWNER where [owner_id]=aa (assuming you're typing "aa" in the username box).

And if you attempt to run this query, it will think that aa is a column name rather than a real value.

Parameterize your query, and you should be fine.

EDIT

Somehow I'm not finding a good, short, simple tutorial for using parameterized queries in C#. Here it is in a nutshell:

When you write your query, you put variables in as placeholders for values you'll pass in later. When you execute the command in C#, you populate those variables. This makes your code safe against SQL injection (someone executing unwanted script by injecting SQL statements into your query), and it also means you don't have to worry about all the quotation marks.

In C#, using a DataSet the way you are, it looks something like:

using (var con = new SqlConnection(constr))
{
    con.Open();
    string query = "SELECT [OBJECTID] from dbo.OWNER where [owner_id] = @OwnerID";
    using (var com = new SqlCommand(query, con))
    {
        com.Parameters.AddWithValue("@OwnerID", Login1.UserName);
        using (var da = new SqlDataAdapter(com))
        {
            var ds = new DataSet();
            da.Fill(ds);
            Console.WriteLine(ds.Tables[0].Rows[0][0]);
        }
    }
}

There are dozens of ways of writing the same code (different constructors, different ways of retrieving data, etc., but the important thing is to never allow user input to go directly into a query's text, but rather attach parameters to the query instead.

Answer 2

Your connection seems to be working fine since it says Invalid column name 'aa' in stack trace. But your query doesn't have this column. It only has OBJECTID .

This could happen if you add column aa in your query for some reason and deployed the code with that error.