USER
is a reserved keyword in SQL:
Reserved Keywords (Transact-SQL)[
^]
You either need to change your table name to something else, or enclose it in square brackets:
SELECT * FROM [USER] WHERE ...
You also don't need to select all columns and load a
DataTable
just to test whether a row exists:
using (SqlCommand cmd = new SqlCommand("SELECT 1 FROM USER WHERE EmailAddress = @EmailAddress and Password = @Password", dbConnection))
{
cmd.Parameters.AddWithValue("@EmailAddres", tbEmail.Text);
cmd.Parameters.AddWithValue("@Password", tbPass.Text);
object result = cmd.ExecuteScalar();
if (result == null || Convert.IsDBNull(result))
{
lblText.Text = "WRONG USERNAME OR PASSWORD";
}
else
{
Response.Redirect("Default.aspx");
}
}
You're storing passwords as plain-text. That's a security vulnerability waiting to happen. You should only ever store a salted hash of the user's password:
Secure Password Authentication Explained Simply[
^]
Salted Password Hashing - Doing it Right[
^]
And why are you re-inventing the wheel? ASP.NET has several perfectly good authentication systems available already - for example:
ASP.NET Identity | The ASP.NET Site[
^]
BrockAllen.MembershipReboot[
^]
Introduction to Membership[
^]