I'm using C# with an ASP.Net table. I'm trying to check when a user accesses my web app, that their User ID is listed in the column called UserID in a table that is displayed in the web app. If it is not, then I want to redirect them to an error page.
I need this to check when the page is loaded so obviously it needs to be in Page_Load. I just don't know how to call the column in my table and to have it check the User ID.
This is what I have so far:
protected void Page_Load(object sender, EventArgs e)
{
if (!Page.IsPostBack)
{
string UserID = HttpContext.Current.Request.LogonUserIdentity.Name.Substring(4);
SQLUserID();
if (UserID != //'Whatever values are in the UserID column'//)
{
Server.Transfer("ErrorPage.aspx");
}
SQLCmd = SqlDataSource1.SelectCommand;
GridView1.DataBind();
}
}
The string UserID gives me the User ID of the user. SQLUserID() = SELECT UserId FROM Info. I know the way I called that isn't correct but I'm not sure how to do it.
It can help you:
SqlConnection conn = new SqlConnection(connectionString);
SqlCommand check_User_Name ("SELECT COUNT(*) FROM tblUser WHERE (UserID=#UserID)",conn);
check_User_Name.Parameters.AddWithValue("#UserID,UserID);
int userExist=(int)check_User_Name.ExecuteScalar();
if(userExist>0)
{
//Login
}
else
{
Server.Transfer("ErrorPage.aspx");
}
just write your connection string and enjoy it.
So here is how I got it to work below Page_Load
{
string connectionString = "Data Source=###;Initial Catalog=###;Integrated Security=True";
if (!Page.IsPostBack)
{
using (SqlConnection sqlConnection = new SqlConnection(connectionString))
{
sqlConnection.Open();
using (SqlCommand sqlCommand = new SqlCommand("SELECT COUNT(UserID) from Info WHERE UserID like #UserID", sqlConnection))
{
string UserID = HttpContext.Current.Request.LogonUserIdentity.Name.Substring(4);
sqlCommand.Parameters.AddWithValue("#UserID", UserID);
int userCount = (int)sqlCommand.ExecuteScalar();
if (userCount == 0)
{
Server.Transfer("ErrorPage.aspx");
}
SQLCmd = SqlDataSource1.SelectCommand;
GridView1.DataBind();
}
}
}
Related
I'm trying to get my LoginButton to work, it isn't really doing what I want it to do.
I already have a RegisterButton which works perfectly and creates the account without any problems, but when trying to do my LoginButton it connects to the database but doesn't really check if the account exists using selectQuery and it should change WarningLabel.Text to "Wrong Name or Password". it does go through the first try and changes the WarningLabel.Text to "Welcome " + NameInput.Text;
private void LoginButton_Click(object sender, System.EventArgs e)
{
string selectQuery = $"SELECT * FROM bank.user WHERE Name='{NameInput.Text}' AND Password='{GetHashString(PasswordInput.Text)}';";
MySqlCommand cmd;
connection.Open();
cmd = new MySqlCommand(selectQuery, connection);
try
{
cmd.ExecuteNonQuery();
WarningLabel.Text = "Welcome " + NameInput.Text;
} catch
{
WarningLabel.Text = "Wrong Name or Password";
}
connection.Close();
}
Best Regards - Nebula.exe
The ExecuteNonQuery is not intented to be used with SQL statements that return data, you should use ExecuteReader or ExecuteScalar, you can check the MySqlCommand.ExecuteReader documentation
Warning: Your code does have a SQL Injection vulnerability in this part of the SQL statement Name='{NameInput.Text}' Check this SQL Injection explanation
Usage example (from the documentation, slightly modified):
using (MySqlConnection myConnection = new MySqlConnection(connStr))
{
using (MySqlCommand myCommand = new MySqlCommand(mySelectQuery, myConnection))
{
myConnection.Open();
MySqlDataReader myReader = myCommand.ExecuteReader();
while (myReader.Read())
{
Console.WriteLine(myReader.GetString(0));
}
}
}
You should check if there are records returned. cmd.ExecuteNonQuery(); won't tell you if records are returned because it will just execute the query. You should use ExecuteScalar or a MySQL Data Reader ExecuteReader and track the results.
Note : Your code is prone to SQL Injections, you might want to use Parameters in your query like #name and #password.
Your Query goes something like this.
string selectQuery = $"SELECT IFNULL(COUNT(*),0) FROM bank.user WHERE Name=#name AND Password=#password;";
Then use parameters
cmd.parameters.AddWithValue(#name, NameInput.Text);
cmd.parameters.AddWithValue(#password, GetHashString(PasswordInput.Text));
Then verify if the query returns result
If cmd.ExecuteScalar() > 0
//If count is > 0 then Welcome
//Else Wrong username or password
End If
Your life, made easy:
private void LoginButton_Click(object sender, System.EventArgs e)
{
var cmd = "SELECT * FROM bank.user WHERE Name=#name AND Password=#pw";
using var da = new MySqlDataAdapter(cmd, connection);
da.SelectCommand.Parameters.AddWithValue("#name", NameInput.Text);
da.SelectCommand.Parameters.AddWithValue("#pw",GetHashString(PasswordInput.Text));
var dt = new DataTable();
da.Fill(dt);
if(dt.Rows.Count == 0)
WarningLabel.Text = "Wrong Name or Password";
else
WarningLabel.Text = $"Welcome {dt.Rows[0]["FullName"]}, your last login was at {dt.Rows[0]["LastLoginDate"]}";
}
Your life, made easier (with Dapper):
class User{
public string Name {get;set;} //username e.g. fluffybunny666
public string FullName {get;set;} //like John Smith
public string Password {get;set;} //hashed
public DateTime LastLoginDate {get;set;}
}
//or you could use a record for less finger wear
record User(string Name, string FullName, string Password, DateTime LastLoginDate);
...
using var c = new MySqlConnection(connection):
var u = await c.QuerySingleOrDefaultAsync(
"SELECT * FROM bank.user WHERE Name=#N AND Password=#P",
new { N = NameInput.Text, P = GetHashString(PasswordInput.Text)}
);
if(u == default)
WarningLabel.Text = "Wrong Name or Password";
else
WarningLabel.Text = $"Welcome {u.FullName}, your last login was at u.LastLoginDate";
I'm creating a forms application which needs a login function. I have set up the MySqL connection and have applied it to my form. It does answer to my to responses, giving me a respons with a pass or no pass, BUT this is only when I ask for it to only match the input with passwords in the database. I cannot get it to match both the usernames and the passwords, even though I seem to have configurated my table as it should be. I've got 3 columns with ID, username(brugernavn) and password.
I can get it to accept both credentials if I match the ID's with the right password, fx SELECT * FROM bruger WHERE password =#pass AND id=#usn
I'm still very new to programming so if I'm confused please let me know.
Is anyone able to help?
I've tried to change my parameters to something else, but that didnt do the trick. There didnt seem to be a problem with the actual table, as it could acces my information about the passwords and the ID's, so I tried changing some values and stuff from the username column, but it did no good. I have both the username and password using varchar(100) and the ID is using INT(11) as a primary.
MySqlConnection connection = new MySqlConnection("server=localhost;port=3306;username=root;password=;database=bruger");
public void openConnection()
{
if (connection.State == System.Data.ConnectionState.Closed)
{
connection.Open();
}
}
public void closeConnection()
{
if (connection.State == System.Data.ConnectionState.Open)
{
connection.Close();
}
}
public MySqlConnection GetConnection()
{
return connection;
}
private void Loginbutton_Click(object sender, EventArgs e)
{
DB db = new DB();
string username = textBoxBrugernavn.Text;
string password = textBoxPassword.Text;
DataTable table = new DataTable();
MySqlDataAdapter adapter = new MySqlDataAdapter();
MySqlCommand command = new MySqlCommand("SELECT * FROM bruger WHERE password =#pass AND brugernavn =#usn", db.GetConnection());
command.Parameters.Add("#usn", MySqlDbType.VarChar).Value = username;
command.Parameters.Add("#pass", MySqlDbType.VarChar).Value = password;
adapter.SelectCommand = command;
adapter.Fill(table);
if (table.Rows.Count > 0)
{
MessageBox.Show("YES");
}
else
{
MessageBox.Show("NO");
}
I was hoping this would let me run my forms apps and then let me login with already created users in my database. This however is not the case, as I am unable to match these two informations in the application.
Keep you data objects local. Then you can be sure they are closed and disposed. The using blocks take care of that even if there is an error. Since we only need one piece of data (the count) we can use ExecuteScalar which returns the first column of the first row in the result set. Of course, in a real application, you would never store passwords as plain text. They would be salted and hashed.
private void Loginbutton_Click(object sender, EventArgs e)
{
Int64 RecordCount = 0;
using (MySqlConnection cn = new MySqlConnection("server=localhost;port=3306;username=root;password=;database=bruger"))
{
using (MySqlCommand command = new MySqlCommand("SELECT Count(*) FROM bruger WHERE password =#pass AND brugernavn =#usn", cn))
{
command.Parameters.Add("#usn", MySqlDbType.VarChar).Value = textBoxBrugernavn.Text;
command.Parameters.Add("#pass", MySqlDbType.VarChar).Value = textBoxPassword.Text;
cn.Open();
RecordCount = (Int64)command.ExecuteScalar();
}
}
if (RecordCount > 0)
{
MessageBox.Show("YES");
//Add code to proceed to your next form
}
else
{
MessageBox.Show("NO");
}
}
So I'm trying to create simple button that decides if you are admin or user.
But I cant get it to work properly. I'm connected to MySQL db but when I click button with either admin/user account (stored in db) I get:
"you are an admin"
So I guess I have mistake somewhere but cant see where:
private void button1_Click(object sender, EventArgs e)
{
MySqlConnection cn = new MySqlConnection("Server=;Database=;Uid=;Pwd=;");
MySqlCommand cmd = new MySqlCommand("SELECT usertype FROM table1 ", cn);
cmd.Parameters.AddWithValue("usertype", usertype.Text);
cn.Open();
string usertype123 = cmd.ExecuteScalar()?.ToString();
if (usertype123 == "admin")
{
MessageBox.Show("you are an admin");
}
else
{
MessageBox.Show("You are an user ");
}
cn.Close();
}
If you don't add a WHERE statement to your sql command you will always retrieve the value from the first column of the first row returned by the database engine. You should change your code to something like this
private void button1_Click(object sender, EventArgs e)
{
// I assume you have a field named UserID as the primary key of your table1
string sqlCmd = #"SELECT usertype FROM table1 WHERE UserID=#id";
using(MySqlConnection cn = new MySqlConnection("....."))
using(MySqlCommand cmd = new MySqlCommand(sqlCmd, cn))
{
cmd.Parameters.Add("#id", MySqlDbType.Int32).Value = currentUserid;
cn.Open();
string usertype123 = cmd.ExecuteScalar()?.ToString();
if (usertype123 == "admin")
{
MessageBox.Show("you are an admin");
}
else
{
MessageBox.Show("You are an user ");
}
}
}
Now the problem is how to define the variable currentUserId This is something that you need to retrieve when the user logs in and conserve at the class level to reuse when needed. Notice also that connections are disposable objects and as such your need to dispose them as soon as you have finished to use them. The using statement helps to do this
I need to send the ID of a logged in user to multiple windows forms but can't figure it out. How can I call the variable on multiple forms?
private void btnUpdate_Click(object sender, EventArgs e)
using(var con = new SqlConnection("connectionstring"))
{
var query = "SELECT TOP 1 ID FROM users WHERE username = #username AND password = #password";
// Build a command to execute your query
using(var cmd = new SqlCommand(con,query))
{
// Open connection
con.Open();
// Add your parameters
cmd.Parameters.AddWithValue("#username", txtUsername.Text);
cmd.Parameters.AddWithValue("#password", txtPassword.Text);
// Get ID
var sqlid = Convert.ToInt32(cmd.ExecuteScalar());
}
}
Ive been stumped for hours and can't proceed
How can I call the variable on multiple forms?
Take the code out of your button click event. Put it in a class within a shared library that can be accessed by multiple forms.
You should also create a User class (and a UserRepository) that you pass around instead of just an ID with no context.
This is what D Stanley was talking about.
The User data-structure
public class MyUser
{
public int ID;
public string UserName;
public MyUser(int id, string userName)
{
ID = id;
UserName = userName;
}
}
The database interface class
public class UserContext
{
private ConnectionString = ""
// 1st constructor you pass in connection string.
public UserContext(string connectionString)
{
ConnectionString = connectionString;
}
// 2nd constructor you use the one in the web.config file.
public UserContext()
{
ConnectionString = System.Configuration.ConfigurationManager.ConnectionStrings["connectionStringName"].ConnectionString;
}
public int GetUserID(string userName, string password)
{
// declare the result variable.
MyUser result
using(var con = new SqlConnection(ConnectionString))
{
var query = "SELECT TOP 1 ID FROM users WHERE username = #username AND password = #password";
// Build a command to execute your query
using(var cmd = new SqlCommand(con,query))
{
// Open connection
con.Open();
// Add your parameters
cmd.Parameters.AddWithValue(userName);
cmd.Parameters.AddWithValue(password);
// Get ID
var sqlid = Convert.ToInt32(cmd.ExecuteScalar());
result = new MyUser(sqlid, userName);
}
}
return result;
}
}
Now all you have to do is create a database context object and pass in properties.
private void btnUpdate_Click(object sender, EventArgs e)
{
// database context.
UserContext UC = new UserContext();
// Get user.
MyUser currentUser = UC.GetUserID(txtUserName.Text, txtPassword.Text);
// now you can access userid from the User data-structure object.
var id = currentUser.ID;
}
I need to get the user current name after a log in. I need to display the name in the page, like welcome user . Please help me, my current code is given below
protected void Button1_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["con1"].ConnectionString);
con.Open();
SqlCommand cmdr = new SqlCommand("Select name,password From registration", con);
SqlDataReader dr = cmdr.ExecuteReader();
while (dr.Read())
{
if (txt_name.Text == dr[0].ToString() && txt_pass.Text == dr[1].ToString())
{
Response.Redirect("logout.aspx");
}
else
{
label4.Text ="Invalid Username/Password";
}
}
}
If you're using the ASP.NET membership:
string userName = Membership.GetUser().UserName
However, obviously you are not using it (i strongly recommend). Why do you redirect to logout.aspx when the user successfully provided his username and password?
Apart from that you're not using the provided informatiuons at all in your query.
SqlCommand cmdr = new SqlCommand("Select name,password From registration", con);
So you should use parameters to filter for the correct record:
using(var cmdr = new SqlCommand("Select name,password From registration where name=#name and password=#password", con))
{
cmdr.Parameters.AddWithValue("#name", userName);
cmdr.Parameters.AddWithValue("#password", password);
if(cmdr.ExecuteReader().HasRows)
{
// user + password correct
}
else
{
// user or password incorrect
}
}
Membership.GetUser().UserName in a membership provider. Under no circumstances should you run the code you have there. It is asking for a hack. You should not be loading the passwords into memory and you are going to have performance issues as you gain more users because of your loop through all users!
protected void Button1_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["con1"].ConnectionString);
con.Open();
SqlCommand cmdr = new SqlCommand("Select name,password From registration", con);
SqlDataReader dr = cmdr.ExecuteReader();
while (dr.Read())
{
if (txt_name.Text == dr[0].ToString() && txt_pass.Text == dr[1].ToString())
{
Session["UserName"]=dr[0].ToString(); // OR Session["UserName"]=txt_name.Text;
Response.Redirect("logout.aspx");
}
else
{
label4.Text ="Invalid Username/Password";
}
}
}
You can fetch the session values in HTML(if your using it in your application)
<div>
Welcome <%=HttpContext.Current.Session["UserName"]%>
</div>
You should be able to get the identity of the user from the User property in code-behind.
myLabel.Text = User.Identity.Name;
The full namespace etc. for this is HttpContext.Current.User.Identity.Name.
Reference for HttpContext.User property: http://msdn.microsoft.com/en-us/library/system.web.httpcontext.user.aspx
put the username in a session
Session["username"] = dr[0].ToString();
then on the other page
if Session["username"] != null
{
String username = Session["username"].ToString();
}
else
{
Page.Redirect("login.aspx");
}
You can check each different page
You should ideally use built-in ASP.NET Forms Authentication - see this article for quick start. Coming to your question, on successful login, you should use line such as
FormsAuthentication.RedirectFromLoginPage(txt_name.Text, true);
This would store the user name into authentication cookie and which can be subsequently retrieved using code such as User.Identity.Name that you can user anywhere in your pages.
You can store the username in session object and get username anywhere in the application if session is present
But you have to update your query also, The way you are calling is not good approach
protected void Button1_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["con1"].ConnectionString);
con.Open();
SqlCommand cmdr = new SqlCommand("Select name From registration where name = #username and password = #password", con);
cmdr.Parameters.Add("#username", txt_name.Text.trim());
cmdr.Parameters.Add("#password", txt_pass.Text.trim());
SqlDataReader dr = cmdr.ExecuteReader();
if(cmdr.ExecuteReader().HasRows)
{
Response.Redirect("logout.aspx");
Session["userName"] = txt_name.Text.trim();
}
else{
//Error page path
}
//DOn't forget to close the connection when you Open it
con.Close();
}
You should learn more from some tutorials:
http://csharp-station.com/Tutorial/AdoDotNet/Lesson01
MSDN
..and if you're just wanting to use the User object:
var username = User.Identity.Name;