login form in asp.net using stored procedure

Question

1.00/5 (1 vote)

See more:

hello I am having a problem in this code can anyone help me. the program is running but it allows login for wrong user name and password. I have created a stored procedure for this. So anyone can help me to improve this code.

stored procedure

SQL

ALTER proc [dbo].[res] @uname  varchar(50)=null , @pword varchar(50)=null

as
select user_name,pass from test3 where user_name = isnull(@uname,user_name) and pass = isnull(@pword,pass)

asp.net code

using System.Data;
using System.Data.SqlClient;
public partial class login : System.Web.UI.Page
{
SqlConnection con = new SqlConnection();
SqlCommand cmd = new SqlCommand();
protected void Page_Load(object sender, EventArgs e)
{

}
protected void Button1_Click(object sender, EventArgs e)
{
try
{
con.ConnectionString = System.Configuration.ConfigurationManager.ConnectionStrings["loginconnectionstring"].ConnectionString;
con.Open();
cmd.Connection = con;
cmd.CommandType = CommandType.StoredProcedure;
cmd.CommandText = "res";
cmd.Parameters.Add("@uname", TextBox1.Text);
cmd.Parameters.Add("@pword", TextBox2.Text);
cmd.ExecuteNonQuery();
Label3.Visible = true;
Label3.Text = "login Successful";
TextBox1.Text = "";
TextBox2.Text = "";
}
catch (Exception ex)
{
Label4.Visible = true;
Label4.Text = ex.ToString();
}
finally
{
con.Close();
}
}
}

Posted 18-Mar-13 20:30pm

rgboss

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

_Maxxx_ · Accepted Answer · 2013-03-18T20:39:00

Your SP has

SQL

where user_name = isnull(@uname,user_name)

which means passing a null user name and password will return every record on the table - you just don't need the Isnull - use

SQL

where user_name = @uname

In your C# you ExecuteNonQuery - but you are executing a query! You probabl;y want to execute this and look at the returned records - there will be zero records for an invalid user name and password.

If you do just want a test (my log ins usually return some user data too so I can display "welcome Back Max instead of Welcome Back Maxxxx0192) you could change the Sp to return a value - something like

if exists(select 1 from usertable where name=@name and pwd=@pwd)
return 1
else
return 0

Then - in your code you execute the query then set the labelto visible - I assume you were expecting an exception on the executeNonQuery -= you won't get one unless your SP is invalid - i.e. syntactically incorrect.

So you need to do

int result = cmd.,ExecuteNonQuery

then test result for 0 or 1.

sanjeevgreddy · Accepted Answer · 2013-03-18T20:46:00

Hi Dear,

Here the thing is simple, Just check your stored procedure. You are checking username and password and you are trying to get the values from that record If it exists. And while accessing that values by your code, You used ExecuteNonQuery() --> That need to be used only if you are manipulating the data (DML- Insert, Update and Delete).

Instead of that use a DataReader. assign the return values of the stored proc to datareader. And check if datareader HasRows then say "Login Successful".

Cheers....

login form in asp.net using stored procedure

2 solutions

Solution 1

Solution 2

Add your solution here

Preview 0