ASP.NET SQL Server login form

Question

I am trying to build a small login web application in ASP.NET but now I'm getting an error while filling and submitting the form in live browser preview

protected void Button1_Click(object sender, EventArgs e)
{
    SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["DefaultConnection"].ToString());
    con.Open();

    string query = "select * from login where user_login='" + txtuser.Text+ "' and '" + txtpass.Text + "' ";

    SqlCommand cmd = new SqlCommand(query, con);

    string output = cmd.ExecuteScalar().ToString();

    if (output == "0")
    {
        Session["user"] = txtuser.Text;
        Response.Redirect("");
    }
    else
        Response.Write("Login Failed");
}

http://prntscr.com/gm0vrr

Do be careful of SQL injection as well, while this might be just a small demo and you are aware of it I just wanted to be sure. Read more about it here [W3Schools SQL injection](https://www.w3schools.com/sql/sql_injection.asp) — Hassan Mahmud, Sep 16 '17 at 22:00
You can't just load a bunch of columns into a single string. Perhaps in your SQL Query you need `select count(*) as c..` instead of `select * ....` — Nick.Mc, Sep 17 '17 at 12:46

score 2 · Answer 1 · answered Sep 16 '17 at 21:59

2

You really should be using parameter binding instead of injecting text into the query.

With that said, the error appears to be in the query's second AND clause as it is missing the column name:

and user_password = '" + txtpass.Text + "' ";

Additionally, consider not storing passwords in plain text as it could represent a security vulnerability.

answered Sep 16 '17 at 21:59

Mateus Schneiders

4,853
3
20
40

Thanks but this sql query is right I tested that on sql query engine – prabhakar kumar Sep 16 '17 at 22:12
Could you print that as well? – Mateus Schneiders Sep 16 '17 at 22:13

score 0 · Answer 2 · answered Sep 17 '17 at 05:51

Use framework to do SQL Querying easily. I recommend you to learn about Entity Framework or Dapper. If you still want to use that way, please use the parameter like

SELECT * FROM UserLogin WHERE Username = @Username AND Password = @Password

the @ is parameter and your code would be like

SqlCommand cmd = new SqlCommand(sql, sqlcon);
using (cmd)
{
     sqlcom.Parameters.Add(new SqlParameter("@Username", TextBox1.Text));
     string output = cmd.ExecuteScalar().ToString();
}

Or you can refer to this post. Someone has explained it for me before.

score 0 · Accepted Answer · answered Sep 17 '17 at 12:30

SqlDataAdapter daGetUserDetail = new SqlDataAdapter("select * from login where user_login='" + txtuser.Text + "' and user_password='" + txtpass.Text + "'", con);

        DataTable dtGetUserDetail = new DataTable();
        dtGetUserDetail.Clear();
        daGetUserDetail.Fill(dtGetUserDetail);

        if (dtGetUserDetail.Rows.Count > 0)
        {
            Session["user"] = txtuser.Text;
            Response.Redirect("");
        }
        else
            Response.Write("Login Failed");

dear can you explain it which you have a problem in this code i will resolve your problem or send me the file i will put your code and send — Junaid Ahmad, Oct 08 '17 at 06:31

ASP.NET SQL Server login form

3 Answers3