Don't do "SELECT * FROM Login". Do something like
"SELECT COUNT(Username) FROM Login WHERE Username = @USername AND HashedPassword = @HashedPassword" Then check the number of returned rows. Points to remember # Don't store real passwords in the DB - EVER # Watch out for SQL injection # Don't select more than you need from a table (you only want to verify the existence of a row in your example On Mon, Feb 1, 2010 at 4:54 PM, HelloWorld <[email protected]> wrote: > well, i made certain changes and now my login code is working, also a > session id is created every time the user logs in. > This is my final login code: > > namespace Login > { > public partial class _Default : System.Web.UI.Page > { > SqlConnection conn = new SqlConnection(@"Data Source=SWATY > \SQLEXPRESS;Initial Catalog=Project_mydb;Integrated Security=True"); > SqlCommand cmd = new SqlCommand(); > SqlDataAdapter da = new SqlDataAdapter(); > DataSet ds = new DataSet(); > > > protected void btnLogin_Click(object sender, EventArgs e) > { > cmd.CommandText = "select * from Login"; > cmd.Connection = conn; > da.SelectCommand = cmd; > da.Fill(ds, "Login"); > int totaluser = ds.Tables["Login"].Rows.Count; > for (int i = 0; i < totaluser; i++) > { > if (txtUserName.Text == ds.Tables["Login"].Rows[i] > ["Username"].ToString() && txtPassword.Text == ds.Tables["Login"].Rows > [i]["Password"].ToString()) > { > Session["userId"] = txtUserName.Text; > Response.Redirect("Home.aspx"); > } > else > { > ErrorLabel.Visible = true; > } > } > } > } > } > > > Now I need to work on the logout code. I've written a certain code for > logout but, on clicking the logout button, even after I am redirected > to the Login Page, the browser's back button is still enabled which > can bring the user back to the previous page(which I don't want to). > Can u tell a way to either disable back browsing or to clear page > history? Plz tell me what changes I need to make? Here's my logout > code: > > namespace Login > { > public partial class Home : System.Web.UI.Page > { > protected void Page_Load(object sender, EventArgs e) > { > lblUser.Text = "Welcome" + Session["userId"].ToString(); > } > > protected void btnLogout_Click(object sender, EventArgs e) > { > > Response.Redirect("Default.aspx"); > Session.Contents.Abandon(); > Session.Abandon(); > Session.Clear(); > } > } > } > > > > On Jan 30, 8:55 pm, Cerebrus <[email protected]> wrote: > > Gosh, that is some scary code (only referring to the Page_Load > > part) !! Do you realize how many problems that code has on so many > > different levels ? I won't go into the problems here because it would > > constitute an essay in itself. > > > > To answer your question(s) then: > > > > The pseudocode for a Login page/control should be as follows: > > > > Page_Load: > > ~ If the page is loading for the first time, check if user is logged > > in (A UserID is present in Session). If yes, redirect to Home page. If > > no, show Login controls (username, password, submit button, Forgot > > password link). > > > > Login Submit Click: > > ~ Retrieve values of username and password textboxes. > > ~ Create an SqlCommand pointing to a Stored Procedure (SP) (called > > IsLoggedIn, for example) that validates a username/password > > combination against user credentials present in the database. > > ~ Set the SP parameters to those values retrieved from the username > > and password textboxes and execute the SP. The SP should simply return > > a True/False value. If required, you can return the UserID instead. > > ~ Based on this result, store the UserID into Session or show > > appropriate feedback to the user (eg. wrong password) > > ~ Redirect to the welcome page. > > > > You could also implement the same thing via a Cookie. > > > > On Jan 30, 7:21 pm, HelloWorld <[email protected]> wrote: > > > > > > > > > @Cerebrus > > > This is the Login page I created. but it does not involve any session > > > or cookies. > > > > > namespace Login > > > { > > > public partial class _Default : System.Web.UI.Page > > > { > > > SqlConnection conn = new SqlConnection(@"Data Source=SWATY > > > \SQLEXPRESS;Initial Catalog=Project_mydb;Integrated Security=True"); > > > SqlCommand cmd = new SqlCommand(); > > > SqlDataAdapter da = new SqlDataAdapter(); > > > DataSet ds = new DataSet(); > > > > > protected void Page_Load(object sender, EventArgs e) > > > { > > > cmd.CommandText = "select * from Login"; > > > cmd.Connection = conn; > > > da.SelectCommand = cmd; > > > da.Fill(ds, "Login"); > > > int totaluser = ds.Tables["Login"].Rows.Count; > > > for (int i = 0; i < totaluser; i++) > > > { > > > if (txtUserName.Text == ds.Tables["Login"].Rows[i] > > > ["Username"].ToString() && txtPassword.Text == ds.Tables["Login"].Rows > > > [i]["Password"].ToString()) > > > { > > > Response.Redirect("Home.aspx"); > > > } > > > else > > > { > > > Label3.Visible = true; > > > } > > > } > > > } > > > } > > > > > } >
