|
A misleading? , Mr Adam Tibi you know that in systems enviroment the others departments like financier or human resources do not have idea how long a project comsume time in order to reach an good end. We dont even know.
The human resources on my new job asking me for at 2.0 solution to login exist users, So, i based this solution over my 1.1 development solution. because they want a Just in time solution, right know i dont have free time to read about Memberships, so the fastest way is based a solution over something that you already know.
Good for you, If you know how to implement menberships providers, but what happened with the not experimented developers like me?..
The only that i want is to show my transition between the login PAGE in 1.1 net Version using a 2.0 Net login CONTROL.
Best regards
keep Learning and you never will be out of date...
|
|
|
|
|
A misleading, Miss Britney S. Morales, as in that I had to look through the code to make sure that I am not missing any feature of .NET 2.0 then I realised that the author didn't take into account any additions to the second version of ASP.NET. For an unexperienced developer, he/she might follow your article and waste time to reinvent the wheel in addition to introducing some bugs like the SQL injuction security bug.
How weired that you didn't have time to read about the membership subject, on the other hand, you had time to write the article!
Knowing how to use membership providers doesn't require an experienced user, but extending it does and normally you won't need to do that.
A positive thing to mention about the article is that it is clear, well explained with nice looking figures. It looks that you have invested time on it to deliver a better quality job.
Regards,
Adam Tibi
Make it simple, as simple as possible, but not simpler.
|
|
|
|
|
Wow, despacio! Perdon mi español, soy de UUEE. Bueno, Adam es correcto y no. Puedes usar el Membership porque todo es incluido en el .NET Framework. Pero, si ya tienes un database, es mas dificil y necesitas hacer tu misma codigo de un MembershipProvider. Estoy haciendo esto en mi proyecto.
Sin embargo, todavia necesito usar el evento "Authenticate" porque no hay forma que conseguir un exception del Membership Provider. Yo quiro mostrar mensajes mas amiable a los usarios. Entonces, necesito hacer como hiciste.
|
|
|
|
|
u can use
if (Logeo.RememberMeSet )
instead of
CheckBox chBox = (CheckBox)Logeo.FindControl("RememberMe");<br />
if (chBox.Checked)<br />
|
|
|
|
|
all images in the article are so cool!!
|
|
|
|
|
AACCoder im only used the login control, im working now in how to implement the others controls
keep Learning and you never will be out of date...
|
|
|
|
|
Nice example the code is not secure but the objetive save the user id is OK.
so far so good...
|
|
|
|
|
Roling your own login system might be fun, but it stops there! Have a look at the builtin SQL User/Role/Profile provider. That plugs straight into the login controls, and does a fine job of covering any holes. If however you want to use your own system, you can simply inherit from the one of the provider base classes and shape your own backend (easier said than done though!).
Cheers
|
|
|
|
|
Few questions if you do not mind:
1. Are you using ASP.NET 2.0 built-in login control? Not clear.
2. ExecuteReader() may return more than 1 row. How would you handle such case?
3. You do not close a connection in case of an error.
4. How about "Forgot password?" scenario?
|
|
|
|
|
1. The sample images look like 2005
2. A simple unique index on username takes care of that scenario.
3. Maybe wrap the connection in a using
4. Asp.Net 2.0 password recovery control?
|
|
|
|
|
1. Yes its a Asp.Net 2.0
2. Good question, i must to evaluate if to use the sentence
string cod_user = comandoSql.ExecuteScalar().ToString();
3. Yes, thats a bad luck , i will modify the code. thanks
4. Edboe is right, Asp.Net 2.0 password recovery control. How Implement it, im working in that...
keep Learning and you never will be out of date...
|
|
|
|
|
sorry,i have a question.
when your database is not mssql ,how we can use the login control? if you had made it out ?
happy to see your reply.
|
|
|
|
|
I didnt work over another database engine than not to be SQL.
But i have some ideas.
Normally you connect to another database (no SQL) using DSN (data source name) with a ODBC control, so, the only thing who change in the example code will be the database connection query, and all the database controls will not sqldatareader... sqlcommand..., they are odbcdatareader, odbccommand.. etc.
keep Learning and you never will be out of date...
|
|
|
|
|
3ks for your reply,what db do you work over and if you use form authentication?
|
|
|
|
|
The example is worked over SqlServer 2005 Express, but i change the sqlconnection string in order to used over SqlServer2005 standard Edition. both examples work with form authentication.
keep Learning and you never will be out of date...
|
|
|
|
|
this might help....
http://www.microsoft.com/events/series/essentialaspnet.mspx
http://www.microsoft.com/events/series/msdnwebdev.mspx
http://pluralsight.com/fritz/webcasts.aspx
http://www.microsoft.com/events/series/technetsqlserver2005.mspx
keep coding...
|
|
|
|
|
Great article for beginners. You also may want to add an addition to this article on how to stop any SQL Injection attacks.
The line:
string sql =
"SELECT coduser, nameuser FROM users WHERE iduser = '" +
id_user + "' AND passuser = '" + pass_user + "'";
Could be circumvented.
|
|
|
|
|
Im confused , the sentence isnt right?, im sure its easy to attack, ¿could you help me to do it more safe?
keep Learning and you never will be out of date...
|
|
|
|
|
The sql query is correct as written. Normally, a user would correctly place their username and password. So, the sql statement will look like this:
SELECT coduser, nameuser FROM users WHERE iduser = 'BMorales' AND passuser = 'mypassword'
A problem could arise if a (malicious)user enters code that shortcuts this statement. If the user places "' or 1=1 --", the statement becomes:
SELECT coduser, nameuser FROM users WHERE iduser = '' or 1=1 -- ' AND passuser = ''
As you know, the -- is a comment, thus truncating the sql string to:
SELECT coduser, nameuser FROM users WHERE iduser = '' or 1=1
Since 1=1 is true, they will always get in.
|
|
|
|
|
Britney S. Morales wrote: Im confused , the sentence isnt right?, im sure its easy to attack, ¿could you help me to do it more safe?
Take a look at this article[^] by Colin Mackay
|
|
|
|
|
|
Britney, cambias tu codigo como asi:
SqlConnection connection = new SqlConnection(...);
string sql = "SELECT coduser, nameuser FROM users WHERE iduser = @ID AND passuser = @PWD";
SqlCommand command = new SqlCommand(sql, connection);
command.Parameters.AddWithValue("@ID", userID);
command.Parameters.AddWithValue("@PWD", password);
SqlDataReader reader = command.ExecuteReader();
if (reader.Read()) {
}
else {
}
|
|
|
|
|
you can use the sqlparameter to avoid the sql injection,but that isnt solve all
|
|
|
|
|
Do you really look that good?
|
|
|
|
|
I suppose that you have not problems with the implementation of the control
keep Learning and you never will be out of date...
|
|
|
|