Click here to Skip to main content
15,892,298 members
Search within:


My registration page does not like yahoo email address.
Please Sign up or sign in to vote.
3.50/5 (3 votes)
See more:
ASP.NET
I have a registration page that a new user can setup a username and password. I also have the code to check to see if the username is in the database to see if it is an authorize user first. The user has a @yahoo.com address. When the user enters their email address every thing goes ok until the user clicks on submit. The error comes up saying, "User Name Is Not Recognized by The System!!!". Why is this happening? The user is in the database.

C#
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;
using System.Web.Security;
using System.Security.Cryptography;

public partial class SubmitPage : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        
        
        if (IsPostBack)
        {
            SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
            con.Open();
            string cmdStr = "Select count(*) from Tablepass where EmailAddress='" + TextBoxEA.Text + "'";
            SqlCommand userExist = new SqlCommand(cmdStr, con);
            SqlCommand cmd = new SqlCommand("select INST_ID, EmailAddress from Tablepass", con);
            int temp = Convert.ToInt32(userExist.ExecuteScalar().ToString());
            if (temp == 1)
            {
                ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('User Name Already Exist!!!');", true);
                TextBoxEA.Focus();
                TextBoxEA.Text = string.Empty;
                
            }
        }
    }

    protected void Submit_Click(object sender, EventArgs e)
    {
        SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString);
        con.Open();

        string cmdStr = "Select INST_ID, accessLevel, EmailAddress from Table1 where EmailAddress='" + TextBoxEA.Text + "'";
        string cmdStr2 = "Select INST_ID, accessLevel, EmailAddress from Table2 where EmailAddress='" + TextBoxEA.Text + "'";
        string insCmd = "Insert into Tablepass (EmailAddress, Password, INST_ID, accessLevel) values (@EmailAddress, @Password, @INST_ID, @accessLevel)";
        string insCmd2 = "Insert into Tablepass (EmailAddress, Password, INST_ID, accessLevel) values (@EmailAddress, @Password, @INST_ID, @accessLevel)";

        SqlCommand insertUser = new SqlCommand(insCmd, con);
        SqlCommand insertUser2 = new SqlCommand(insCmd2, con);

        insertUser.Parameters.AddWithValue("@EmailAddress", TextBoxEA.Text);
        insertUser.Parameters.AddWithValue("@Password", TextBoxPW.Text);
        insertUser.Parameters.AddWithValue("@INST_ID", TextBoxINST_ID.Text);
        insertUser.Parameters.AddWithValue("@accessLevel", TextBoxaccessLevel.Text);

        try
        {
            insertUser.ExecuteNonQuery();
            con.Close();
            Response.Redirect("Login.aspx");
        }
        catch (Exception er)
        {
            ScriptManager.RegisterStartupScript(this, this.GetType(), "script", "alert('User Name Is Not Recognized by The System!!!');", true);
        }
        finally
        {
        }
    }

    protected void TextBoxEA_TextChanged(object sender, EventArgs e)
    {

        using (SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString))
        {
            con.Open();

            SqlCommand scmd = new SqlCommand("Select INST_ID, EmailAddress, accessLevel from Table1 where EmailAddress = @TextBoxEA", con);
            SqlCommand scmd2 = new SqlCommand("Select INST_ID, EmailAddress, accessLevel from Table2 where EmailAddress = @TextBoxEA", con);

            scmd.Parameters.Add(new SqlParameter("@TextBoxEA", TextBoxEA.Text));
            scmd2.Parameters.Add(new SqlParameter("@TextBoxEA", TextBoxEA.Text));

            TextBoxINST_ID.Text = string.Empty;
            TextBoxaccessLevel.Text = string.Empty;

            using (SqlDataReader dr = scmd.ExecuteReader())
            {
                while (dr.Read())
                {
                    TextBoxINST_ID.Text = dr["INST_ID"].ToString();
                    TextBoxaccessLevel.Text = dr["accessLevel"].ToString();
                    
                }
            }

            using (SqlDataReader dr2 = scmd2.ExecuteReader())
            {
                while (dr2.Read())
                {
                    TextBoxINST_ID.Text = dr2["INST_ID"].ToString();
                    TextBoxaccessLevel.Text = dr2["accessLevel"].ToString();
                    
                }
            }

            }
        }
    }
Posted
Add a Solution
Comments
phil.o 26-Nov-13 10:02am    
Your code leaves your application opened to SQL injection attacks.
For example, if someone enters the following in TExtBoxEA:
'; DROP TABLE Tablepass;--
then you're busted
You should use parameterized queries instead.
Computer Wiz99 26-Nov-13 10:06am    
Thanks phil.o. I am working on that as we speak. Do you know why the user can't register the email address from yahoo?
phil.o 26-Nov-13 10:28am    
No, I don't. Sorry.
Computer Wiz99 26-Nov-13 11:07am    
Ok. Thanks anyway.
Homero Rivera 26-Nov-13 11:45am    
It might not be an issue with yahoo, but the email address of that particular user (due to the sql injection). Have you make tests with other yahoo addresses? "test@yahoo.com", for example?
The email address of the person attempting could contain some bad characters.

1 solution

There are a few issues here; each of which may contribute to the problem, and each of wish you need to fix anyways. I can't give you any fish, but I'll try to teach you to fish:


  • As mentioned, do not concatenate user input when creating a SQL query or you will (often in a matter of hours after being indexed by a search engine) be compromised by a SQL injection attack.
  • Even if not for SQL injection, the code will not work with many valid email addresses. For example john.o'leary@yahoo.com or even '@yahoo.com are valid email addresses and will break your script. Don't believe me? Send me an email to ' at redcell.ca
  • In fact, many valid email addresses can break fragile systems. Did you know that "()<>[]:,;@\"!#$%&'*+-/=?^_`{}| ~ ? ^_`{}|~.a"@yahoo.org is a valid email address? Read my rant.[^]
  • Avoid ever using a universal, Hail Mary, Save Me Jebus!, or catch-all try/catch block; that is: catch (Exception ex). Your code will output Name Is Not Recognized by The System if:

    • the name is not recognized by the system
    • there is an error in your SQL syntax
    • the SQL server is offline
    • the SQL server is too busy to reply in time
    • table tablePass doesn't exist
    • a division by zero error occurs
    • the web server runs out of memory
    • the address '@yahoo.com is used
    • I bet you can think of 20 more reasons here

Fix these issues, either your issue will be fixed, or the underlying issue will be staring at you.
 
Share this answer
 
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise
Privacy
Cookies
Terms of Use
Last Updated 26 Nov 2013
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900