I did not mention SQL injection because the OP is obviously a beginner and (IMHO) it's unwise to talk about Sql Injection to newbies. At this stage, it thrills them only to be able to store and retrieve data from the database via the page.
On Feb 2, 8:58 pm, Jamie Fraser <[email protected]> wrote: > Don't do "SELECT * FROM Login". > > Do something like > > "SELECT COUNT(Username) FROM Login WHERE Username = @USername AND > HashedPassword = @HashedPassword" > > Then check the number of returned rows. > > Points to remember > > # Don't store real passwords in the DB - EVER > # Watch out for SQL injection > # Don't select more than you need from a table (you only want to verify the > existence of a row in your example > > > > On Mon, Feb 1, 2010 at 4:54 PM, HelloWorld <[email protected]> wrote: > > well, i made certain changes and now my login code is working, also a > > session id is created every time the user logs in. > > This is my final login code: > > > namespace Login > > { > > public partial class _Default : System.Web.UI.Page > > { > > SqlConnection conn = new SqlConnection(@"Data Source=SWATY > > \SQLEXPRESS;Initial Catalog=Project_mydb;Integrated Security=True"); > > SqlCommand cmd = new SqlCommand(); > > SqlDataAdapter da = new SqlDataAdapter(); > > DataSet ds = new DataSet(); > > > protected void btnLogin_Click(object sender, EventArgs e) > > { > > cmd.CommandText = "select * from Login"; > > cmd.Connection = conn; > > da.SelectCommand = cmd; > > da.Fill(ds, "Login"); > > int totaluser = ds.Tables["Login"].Rows.Count; > > for (int i = 0; i < totaluser; i++) > > { > > if (txtUserName.Text == ds.Tables["Login"].Rows[i] > > ["Username"].ToString() && txtPassword.Text == ds.Tables["Login"].Rows > > [i]["Password"].ToString()) > > { > > Session["userId"] = txtUserName.Text; > > Response.Redirect("Home.aspx"); > > } > > else > > { > > ErrorLabel.Visible = true; > > } > > } > > } > > } > > } > > > Now I need to work on the logout code. I've written a certain code for > > logout but, on clicking the logout button, even after I am redirected > > to the Login Page, the browser's back button is still enabled which > > can bring the user back to the previous page(which I don't want to). > > Can u tell a way to either disable back browsing or to clear page > > history? Plz tell me what changes I need to make? Here's my logout > > code: > > > namespace Login > > { > > public partial class Home : System.Web.UI.Page > > { > > protected void Page_Load(object sender, EventArgs e) > > { > > lblUser.Text = "Welcome" + Session["userId"].ToString(); > > } > > > protected void btnLogout_Click(object sender, EventArgs e) > > { > > > Response.Redirect("Default.aspx"); > > Session.Contents.Abandon(); > > Session.Abandon(); > > Session.Clear(); > > } > > } > > } > > > On Jan 30, 8:55 pm, Cerebrus <[email protected]> wrote: > > > Gosh, that is some scary code (only referring to the Page_Load > > > part) !! Do you realize how many problems that code has on so many > > > different levels ? I won't go into the problems here because it would > > > constitute an essay in itself. > > > > To answer your question(s) then: > > > > The pseudocode for a Login page/control should be as follows: > > > > Page_Load: > > > ~ If the page is loading for the first time, check if user is logged > > > in (A UserID is present in Session). If yes, redirect to Home page. If > > > no, show Login controls (username, password, submit button, Forgot > > > password link). > > > > Login Submit Click: > > > ~ Retrieve values of username and password textboxes. > > > ~ Create an SqlCommand pointing to a Stored Procedure (SP) (called > > > IsLoggedIn, for example) that validates a username/password > > > combination against user credentials present in the database. > > > ~ Set the SP parameters to those values retrieved from the username > > > and password textboxes and execute the SP. The SP should simply return > > > a True/False value. If required, you can return the UserID instead. > > > ~ Based on this result, store the UserID into Session or show > > > appropriate feedback to the user (eg. wrong password) > > > ~ Redirect to the welcome page. > > > > You could also implement the same thing via a Cookie. > > > > On Jan 30, 7:21 pm, HelloWorld <[email protected]> wrote: > > > > > @Cerebrus > > > > This is the Login page I created. but it does not involve any session > > > > or cookies. > > > > > namespace Login > > > > { > > > > public partial class _Default : System.Web.UI.Page > > > > { > > > > SqlConnection conn = new SqlConnection(@"Data Source=SWATY > > > > \SQLEXPRESS;Initial Catalog=Project_mydb;Integrated Security=True"); > > > > SqlCommand cmd = new SqlCommand(); > > > > SqlDataAdapter da = new SqlDataAdapter(); > > > > DataSet ds = new DataSet(); > > > > > protected void Page_Load(object sender, EventArgs e) > > > > { > > > > cmd.CommandText = "select * from Login"; > > > > cmd.Connection = conn; > > > > da.SelectCommand = cmd; > > > > da.Fill(ds, "Login"); > > > > int totaluser = ds.Tables["Login"].Rows.Count; > > > > for (int i = 0; i < totaluser; i++) > > > > { > > > > if (txtUserName.Text == ds.Tables["Login"].Rows[i] > > > > ["Username"].ToString() && txtPassword.Text == ds.Tables["Login"].Rows > > > > [i]["Password"].ToString()) > > > > { > > > > Response.Redirect("Home.aspx"); > > > > } > > > > else > > > > { > > > > Label3.Visible = true; > > > > } > > > > } > > > > } > > > > } > > > > > }- Hide quoted text - > > - Show quoted text -
