Click here to Skip to main content
15,906,333 members
Search within:


Input string was not in a correct format.
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
ASP.NET
whenever loginto the site at the time Input string was not in a correct format.

my source code

C#
protected void Button1_Click(object sender, EventArgs e)
   { SqlConnection con = new SqlConnection("Data Source=AMMA-PC;Initial Catalog=Autherzation;Integrated Security=True");
       con.Open();
       SqlCommand cmd = new SqlCommand("select * from Login where UserName='" + TextBox2.Text + "' and PassWord='" + TextBox1.Text + "'", con);
       int s = Convert.ToInt32(cmd.ExecuteScalar());
       if(s==0)
       {
           FormsAuthentication.RedirectFromLoginPage(TextBox2.Text,true);
       }
     else
       {
           Label3.Text = "Invalid UserName/Passwod";
       }
   }


Button1_click is loginbutton event

my database like as


Columnname Datatype Allownulls

FirstName Varchar(50) Yes(checked)

LastName Varchar(50) Yes(checked)

Email Varchar(50) Yes(checked)

Password Varchar(50) Yes(checked)


Error occured at the statment that error is "Input string was not in a correct format."

C#
int s = Convert.ToInt32(cmd.ExecuteScalar());


Can u please help me.

thank u

What I have tried:

Input string was not in a correct format.

protected void Button1_Click(object sender, EventArgs e)
{
con.Open();
SqlCommand cmd = new SqlCommand("select * from Login where UserName='" + TextBox2.Text + "' and PassWord='" + TextBox1.Text + "'", con);
int s = Convert.ToInt32(cmd.ExecuteScalar());
if(s==0)
{
FormsAuthentication.RedirectFromLoginPage(TextBox2.Text,true);
}
else
{
Label3.Text = "Invalid UserName/Passwod";
}
}
Posted
Updated 12-Jun-16 8:29am
v2
Add a Solution
Comments
Vincent Maverick Durano 14-Jun-16 8:44am    
I'd agree with OriginalGriff about the things he listed. Very well said. I'd like to add one more. Keep it a habit to use the using block when dealing with objects that eats resources such such SqlConnection and SqlCommand. This will ensure that the object will be properly disposed and closed.

1 solution

There are a number of more serious problems here you need to look at:
1) Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead. Particularly with a login system where users don;t even have to know a username to delete your DB! :doh:
2) Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^]
3) Never "hard-code" connections strings: it means you have to find and change each and every one if there is any change in your system. For example, when you release this to production...
4) You do realise that emails can be considerably longer than 50 characters, don't you?
5) Don't use SELECT * FROM - it's inefficient and can cause problems. List the columns you need to fetch only.
6) And finally...you can't use ExecuteScalar with a SELECT that returns multiple values! Which is why you get the error you are: you can't cast 4 columns to an integer... Use SELECT COUNT(*) or a DataReader / DataAdapter instead.

I'd also strongly suggest that you use an ID column on your DB as well: either an IDENTITY field, or a UNIQUEIDENTIFER
 
Share this answer
 
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise
Privacy
Cookies
Terms of Use
Last Updated 12 Jun 2016
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web02 2.8:2024-05-23:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900