Issue with password in user login system. C#

Question

I have developed a web application in visual studio 2010 and am attempting to add a user login system to this application. So far I am having trouble validating the users password, as the program informs me that all passwords are incorrect even if it matches the one associated to that username. This is the code I have written son far:

    protected void n_Click(object sender, EventArgs e)
    {
        SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
        con.Open();
        string cmdStr = "select count(*) from Registration where UserName='" + TextBoxUserName.Text + "'";
        SqlCommand CheckUser = new SqlCommand(cmdStr, con);
        int Temp = Convert.ToInt32(CheckUser.ExecuteScalar().ToString());
        if (Temp == 1)
        {
            string cmdStr2 = "Select Password from Registration where UserName ='" + TextBoxUserName.Text + "'";
            SqlCommand pass = new SqlCommand(cmdStr2, con);
            string password = pass.ExecuteScalar().ToString();
            con.Close();

            if (password == TextBoxPassword.Text)
            {
                Session["New"] = TextBoxUserName.Text;
                Response.Redirect("HomePage.aspx");
            }
            else
            {
                Label1.Visible = true;
                Label1.Text = "Password is invalid";
            }
        }
        else
        {
             Label1.Visible = true;
             Label1.Text = "Username is invalid";
        }


    }
}

}

Regardless of what password is entered the program will output 'password is invalid' which indicates that the issue is with the first part of the if statement? or the variables it uses? It might also be worth mentioning that an invalid username flags up in the same way, and this works fine.

Thanks in advance :)

Answer 1

请改用ASP.NET身份验证 。

Answer 2

what you're doing seems way too complex for what it's supposed to do..

edit: i editted my answer after user commented:

 public bool Login(String uName, String pasw)
{
    using (SqlConnection myConnection = new SqlConnection(connString))
    {
        string oString = "Select ID from yourTable where username = @username AND paswoord = @password";
        SqlCommand oCmd = new SqlCommand(oString, myConnection);
        oCmd.Parameters.AddWithValue("@username", uName);
        oCmd.Parameters.AddWithValue("@password", pasw);
        string id = null;
        myConnection.Open();
        using (SqlDataReader oReader = oCmd.ExecuteReader())
        {              
            while (oReader.Read())
            {
                id = oReader["id"].ToString();
            }
            myConnection.Close();
        }
        if (id == null)
        {
            return false;
        }
        else
        {
            return true;
        }         
    }
}

you could try something like this. Also, it might have nothing to do with it, but some databases dont like it when you name an attribute "password", you could try changing it to "pw" or "pasw" or whatever.