dont call single line querys but use stored proc and use it bec of sql injection
On Tue, Feb 2, 2010 at 9:28 PM, Jamie Fraser <[email protected]> wrote: > Don't do "SELECT * FROM Login". > > Do something like > > "SELECT COUNT(Username) FROM Login WHERE Username = @USername AND > HashedPassword = @HashedPassword" > > Then check the number of returned rows. > > Points to remember > > # Don't store real passwords in the DB - EVER > # Watch out for SQL injection > # Don't select more than you need from a table (you only want to verify the > existence of a row in your example > > > On Mon, Feb 1, 2010 at 4:54 PM, HelloWorld <[email protected]> wrote: > >> well, i made certain changes and now my login code is working, also a >> session id is created every time the user logs in. >> This is my final login code: >> >> namespace Login >> { >> public partial class _Default : System.Web.UI.Page >> { >> SqlConnection conn = new SqlConnection(@"Data Source=SWATY >> \SQLEXPRESS;Initial Catalog=Project_mydb;Integrated Security=True"); >> SqlCommand cmd = new SqlCommand(); >> SqlDataAdapter da = new SqlDataAdapter(); >> DataSet ds = new DataSet(); >> >> >> protected void btnLogin_Click(object sender, EventArgs e) >> { >> cmd.CommandText = "select * from Login"; >> cmd.Connection = conn; >> da.SelectCommand = cmd; >> da.Fill(ds, "Login"); >> int totaluser = ds.Tables["Login"].Rows.Count; >> for (int i = 0; i < totaluser; i++) >> { >> if (txtUserName.Text == ds.Tables["Login"].Rows[i] >> ["Username"].ToString() && txtPassword.Text == ds.Tables["Login"].Rows >> [i]["Password"].ToString()) >> { >> Session["userId"] = txtUserName.Text; >> Response.Redirect("Home.aspx"); >> } >> else >> { >> ErrorLabel.Visible = true; >> } >> } >> } >> } >> } >> >> >> Now I need to work on the logout code. I've written a certain code for >> logout but, on clicking the logout button, even after I am redirected >> to the Login Page, the browser's back button is still enabled which >> can bring the user back to the previous page(which I don't want to). >> Can u tell a way to either disable back browsing or to clear page >> history? Plz tell me what changes I need to make? Here's my logout >> code: >> >> namespace Login >> { >> public partial class Home : System.Web.UI.Page >> { >> protected void Page_Load(object sender, EventArgs e) >> { >> lblUser.Text = "Welcome" + Session["userId"].ToString(); >> } >> >> protected void btnLogout_Click(object sender, EventArgs e) >> { >> >> Response.Redirect("Default.aspx"); >> Session.Contents.Abandon(); >> Session.Abandon(); >> Session.Clear(); >> } >> } >> } >> >> >> >> On Jan 30, 8:55 pm, Cerebrus <[email protected]> wrote: >> > Gosh, that is some scary code (only referring to the Page_Load >> > part) !! Do you realize how many problems that code has on so many >> > different levels ? I won't go into the problems here because it would >> > constitute an essay in itself. >> > >> > To answer your question(s) then: >> > >> > The pseudocode for a Login page/control should be as follows: >> > >> > Page_Load: >> > ~ If the page is loading for the first time, check if user is logged >> > in (A UserID is present in Session). If yes, redirect to Home page. If >> > no, show Login controls (username, password, submit button, Forgot >> > password link). >> > >> > Login Submit Click: >> > ~ Retrieve values of username and password textboxes. >> > ~ Create an SqlCommand pointing to a Stored Procedure (SP) (called >> > IsLoggedIn, for example) that validates a username/password >> > combination against user credentials present in the database. >> > ~ Set the SP parameters to those values retrieved from the username >> > and password textboxes and execute the SP. The SP should simply return >> > a True/False value. If required, you can return the UserID instead. >> > ~ Based on this result, store the UserID into Session or show >> > appropriate feedback to the user (eg. wrong password) >> > ~ Redirect to the welcome page. >> > >> > You could also implement the same thing via a Cookie. >> > >> > On Jan 30, 7:21 pm, HelloWorld <[email protected]> wrote: >> > >> > >> > >> > > @Cerebrus >> > > This is the Login page I created. but it does not involve any session >> > > or cookies. >> > >> > > namespace Login >> > > { >> > > public partial class _Default : System.Web.UI.Page >> > > { >> > > SqlConnection conn = new SqlConnection(@"Data Source=SWATY >> > > \SQLEXPRESS;Initial Catalog=Project_mydb;Integrated Security=True"); >> > > SqlCommand cmd = new SqlCommand(); >> > > SqlDataAdapter da = new SqlDataAdapter(); >> > > DataSet ds = new DataSet(); >> > >> > > protected void Page_Load(object sender, EventArgs e) >> > > { >> > > cmd.CommandText = "select * from Login"; >> > > cmd.Connection = conn; >> > > da.SelectCommand = cmd; >> > > da.Fill(ds, "Login"); >> > > int totaluser = ds.Tables["Login"].Rows.Count; >> > > for (int i = 0; i < totaluser; i++) >> > > { >> > > if (txtUserName.Text == ds.Tables["Login"].Rows[i] >> > > ["Username"].ToString() && txtPassword.Text == ds.Tables["Login"].Rows >> > > [i]["Password"].ToString()) >> > > { >> > > Response.Redirect("Home.aspx"); >> > > } >> > > else >> > > { >> > > Label3.Visible = true; >> > > } >> > > } >> > > } >> > > } >> > >> > > } >> > >
