Click here to Skip to main content
15,891,513 members
Search within:


I am using same login page for both the general users and admin users but after login, the system should take both the users to different pages.
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
C#
ASP.NET
general user and admin user use same table for registration. registration table has a user_type field which creates difference between general user and admin user. both the users use same login screen. but after successful login, the login page should direct both the user and admin to different pages. if user type is 1 then it is admin and if user type is 2 then it is general user. i am using below code in the login page but it seems to be incorrect. please let me know what correction is required.

when i am pressing login button, the system is showing below error.

Incorrect syntax near ','

What I have tried:

SqlConnection con = new SqlConnection();
con.ConnectionString = "Data Source=.\\sqlexpress;Initial Catalog=college_education;User ID=sa;Password=system;";
con.Open();
string q = "select * from user_details where user_name='" + TextBox1.Text + "', password='" + TextBox2.Text + "',user_type='"+TextBox3.Text+"'";
SqlCommand com = new SqlCommand(q, con);
SqlDataReader sdr = com.ExecuteReader();
if (sdr.Read())
{
Session["user"] = sdr["user_name"];
Session["password"] = sdr["password"];
Session["user type"] = sdr["user_type=1"];
Response.Redirect("adminfilerecord.aspx");
Posted
Updated 30-Jan-17 23:48pm
Add a Solution
Comments
Jon McKee 28-Jan-17 1:03am    
I don't see any obvious problems from a glance. What line causes this error? Have you done any debugging? What were the results? Obvious problems beyond concatenating an SQL query, that is.
TextBox1.Text = "user123'; drop table user_details; --";
Member 12950401 28-Jan-17 1:06am    
error is showing on below line.

SqlDataReader sdr = com.ExecuteReader();
Jon McKee 28-Jan-17 1:17am    
Beyond using while instead of if (unless that's explicitly what you want) and what I mention above, I honestly don't see an issue with this code. I don't see any issues with your quoting. Have you put a breakpoint on the line that throws the error and examined what the SQL query and related objects look like?
OriginalGriff 28-Jan-17 3:41am    
*cough*
select * from user_details where user_name='MyName', password='MyPassword', user_type='MyType'

Valid SQL?
SQL Injection?
Text based passwords stored in clear?
Jon McKee 28-Jan-17 3:44am    
I already mentioned SQL injection in my first response =P "user123'; drop table user_details; --" =D Raw password storage I did fail to mention though. Also good point about the actual SQL, I totally missed that it was a comma and not an "AND" :thumbsup: I'm too accustomed to LINQ =(

2 solutions

Loads of problems here: The first and most important is that you must never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
Particularly important with login code, since users can bypass your security or delete your database without even having to log in! Fix this first throughout your code, or your best mate will delete your DB just to see the expression on your face.

The second thing is that your SQL query is rubbish. If I remove teh textboxes and write it out as it would be presented to SQL:
SQL
select * from user_details where user_name='MyName', password='MyPassword', user_type='MyType'
That isn't valid SQL syntax: it meets the first comma and says "what is that doing here?" Probably what you meant to say was:
SQL
select * from user_details where user_name='MyName' AND password='MyPassword' AND user_type='MyType'
But even then there are problems: why would your users have to type "user" or "admin" or anything else in order to log in? Your system knows what class they are permitted to be, so fetch that from the DB not the user.

The third is that you are storing passwords in clear text. That's bad, very bad: Code Crime 1[^] - see here, it may help: Password Storage: How to do it.[^]
 
Share this answer
 
Posted
Comments
Jon McKee 28-Jan-17 3:49am    
Very good point! I totally missed the comma instead of "AND". 5ed!
use switch case and break statement like

string userType=sdr["user_type];
switch(userType)
{
    case "Admin":
          Response.Redirect("adminPage.aspx");
          break;
    case "GeneralUser":
          Response.Redirect("genUserPage.aspx");
          break;
    default:
          Response.Redirect("SomePage.aspx");
          break;
}
 
Share this answer
 
Posted
v2
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Redirect to login page, if user accesses the url from browser
How to deny or redirect to login page if user not make login to my web application ?
single login for admin/user
After login page displaying users data
User and admin login page
Asp.Net login page for different types of users
user and admin login jsp page in mysql using netbeans
using 2 master pages for admin and user
Login failed for user
redirect the user to login page

Advertise
Privacy
Cookies
Terms of Use
Last Updated 31 Jan 2017
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900