1

I am in the process of creating an asp.net web app in C# using Visual Studio. I have a registration page for parents that stores information in a database table I have created. I now need to create a login page that if username and password are entered correctly, the user will be redirected to a payment page.

What I have so far works to an extent. I will show my code, along with a screenshot of the main error. If anyone can point out where I am going wrong, I would really appreciate it.

username + password = CORRECT - I receive "password is correct" text

username + password = BOTH WRONG - I receive "username is not correct" text

username (NOT correct) + password (CORRECT) - I receive "username is not correct" text

username (CORRECT) + password (NOTcorrect) - I get this error (see screenshot) I get this error

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;
using System.Configuration;
using System.Data.SqlClient;

namespace Coursework
{
public partial class Login : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }

    protected void loginButton_Click(object sender, EventArgs e)
    {
        SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["newregDBConnectionString"].ConnectionString);
        conn.Open();
        string checkUser = "select count(*) from parent where parentID='" + userText.Text + "'";
        SqlCommand com = new SqlCommand(checkUser, conn);
        int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
        conn.Close();
        if (temp == 1)
        {
            conn.Open();
            string checkPassword = "select password from parent where password='" + passText.Text + "'";
            SqlCommand passCom = new SqlCommand(checkPassword, conn);
            string password = passCom.ExecuteScalar().ToString().Replace(" ","");
            if(password == passText.Text)
            {
                Session["New"] = userText.Text;
                Response.Write("Password is correct");
            }
            else
            {
                Response.Write("Password is not correct");
            }          
        }
        else
        {
            Response.Write("Username is not correct");
        }
        conn.Close();
    }
}

}

ACostea
  • 141
  • 14
  • 1
    Seeing that you're getting a `NullReferenceException`, I'll refer to [this](http://stackoverflow.com/questions/4660142/what-is-a-nullreferenceexception-and-how-do-i-fix-it) page. –  Dec 12 '16 at 14:21
  • 3
    You are opening your self to sql injection. You probably want to use SqlParams in place of inline concatenation. – Stephen Brickner Dec 12 '16 at 14:21
  • 1
    Please tell me you're not storing passwords unencrypted – Frauke Dec 12 '16 at 14:24
  • 1
    Also, you are giving a potential hackers useful info: you basically made code that will tell them "Well done, you guessed a username! Now proceed guessing a password!". Never disclose that the username is correct if (only) the password is wrong. No need to do 2 separate database calls as a consequence. – Peter B Dec 12 '16 at 14:31
  • Can i suggest code first and linq/lambda – Mohammed Sohail Ebrahim Dec 12 '16 at 14:32
  • 1
    So I basically just want one error message for the 3 options (both user and pass wrong, user wrong + pass correct, user correct + pass wrong). Saying something like, log in details are incorrect? – ACostea Dec 12 '16 at 14:35

1 Answers1

4

ExecuteScalar return object

public override object ExecuteScalar()

So you need to check for null value

var obj = passCom.ExecuteScalar();
string password = obj?.ToString().Trim();

Also start using SqlCommand.Parameters to protect you from Sql injection

mybirthname
  • 16,991
  • 3
  • 29
  • 48
  • Ok so I put the public override object ExecuteScalar() method above the button click method with the "var obj = passCom.ExecuteScalar(); string password = obj?.ToString().Trim();" lines of code you provided but it is giving me errors. Have I used the code in the wrong place? – ACostea Dec 12 '16 at 14:32
  • @ACostea public override object ExecuteScalar() is the defenition of ExecuteScallar I wrote it to see it is an object. Don't write this. What you need to write is under the text: So you need to check for null value. If you are using C# with version under 6.0 you should write if(obj != null) password=obj.ToString().Trim(); – mybirthname Dec 12 '16 at 14:34
  • Oh I see, thank you, it works. All of the right messages appear depending on combination of password and username. I have SqlParams on another page so I will work on including them on this login page. Thank you once again! – ACostea Dec 12 '16 at 14:40