I am having a problem while login, the registered user's name, email and password is saved in the database and the email is the username. When i am logging through email and password it shows the error "There is no row at position 0."
Here's my code :
con.Open();
cmd = new SqlCommand("select * from userinfo where username='" + t1.Text.ToString() + "' and password='" + t2.Text.ToString() + "'", con);
da = new SqlDataAdapter(cmd);
da.Fill(ds, "abc");
Session["name"] = ds.Tables["abc"].Rows[0][1].ToString();
con.Close();
cmd = new SqlCommand("SELECT * FROM userinfo WHERE username = #username AND password = #password", con);
cmd.Paramater.AddWithValue("#username", t1.Text.ToString());
cmd.Paramater.AddWithValue("#password", t2.Text.ToString());
con.open();
SqlDataReader dr = cmd.ExecuteReader();
dr.read();
if(dr.hasRows){
Session["name"] = dr["username"].ToString();
}
con.close();
Try not to throw variables into a sql command. SQL injection and all. Try and pass the paramater
Because reason is the no one record found in Db same as a passing username and password and you can directly access so its give exception. Please add one if condition below like.
con.Open();
cmd = new SqlCommand("SELECT * FROM userinfo WHERE username = #username AND password = #password", con);
cmd.Paramater.AddWithValue("#username", t1.Text.ToString());
cmd.Paramater.AddWithValue("#password", t2.Text.ToString());
da = new SqlDataAdapter(cmd);
da.Fill(ds, "abc");
if(ds.Tables["abc"].Rows.Count>0)
{
Session["name"] = ds.Tables["abc"].Rows[0][1].ToString();
}
con.Close();
The exception is because there are no records in that table.
There are no rows, so there is no Rows[0].
Try something like this:
using (var con = new SqlConnection(connectionString))
{
con.Open();
cmd = new SqlCommand("SELECT * FROM userinfo WHERE username = #1 AND password = #2", con);
cmd.Paramater.AddWithValue("#1", t1.Text);
cmd.Paramater.AddWithValue("#2", t2.Text);
da = new SqlDataAdapter(cmd);
da.Fill(ds, "abc");
if(ds.Tables["abc"].Rows.Any())
Session["name"] = ds.Tables["abc"].Rows[0][1].ToString();
con.Close();
}
You should use parameters when constructing SQL queries to avoid injection attacks.
Don't forget that SqlConnection is IDisposable, so should be in a using statement (you might already be doing this, but i've included it here just in case).
It also looks like the user's password is being compared to the input from a TextBox (or a similar control)? If so, the user's password should not be stored in plain text in the database as this is a security issue. Consider hashing the stored password, doing the same with the user's input, and comparing that instead.
This wasn't part of the question, I know, but worth pointing out just in case.
Related
In my code behind, I have this
{
Label2.Text = "[" + HttpContext.Current.User.Identity.Name + "]";
}
to identify the username in domain. So far so good. It works properly in IIS.
However, I would like to store the username into a database. How can I do that?
The idea is to record the person who answer to this:
string insertCmd = "INSERT INTO worker(Business,Business2,Mobile) VALUES (#Business,#Business2,#Mobile)";
using (Conn)
{
Conn.Open();
OleDbCommand myCommand = new OleDbCommand(insertCmd, Conn);
myCommand.Parameters.AddWithValue("#Business", business.Text);
myCommand.Parameters.AddWithValue("#Business2", business2.Text);
myCommand.Parameters.AddWithValue("#Mobile", mobile.Text);
myCommand.ExecuteNonQuery();
Label1.Text = "Saved Successfull!";
Label1.ForeColor = System.Drawing.Color.Green;
}
I have the answer inserted into the database, but how can I save the person who answer? Can I save the label into the database table? Or is it impossible?
Just add a username field to your table and add another parameter:
string insertCmd = "INSERT INTO worker(Business,Business2,Mobile,username) VALUES (#Business,#Business2,#Mobile,#username)";
using (Conn) {
Conn.Open();
OleDbCommand myCommand = new OleDbCommand(insertCmd, Conn);
myCommand.Parameters.AddWithValue("#Business", business.Text);
myCommand.Parameters.AddWithValue("#Business2", business2.Text);
myCommand.Parameters.AddWithValue("#Mobile", mobile.Text);
myCommand.Parameters.AddWithValue("#username", HttpContext.Current.User.Identity.Name);
myCommand.ExecuteNonQuery();
Label1.Text = "Saved Successfull!";
Label1.ForeColor = System.Drawing.Color.Green;
}
while i'm trying to get single record from database table,based on login user details. i'm getting error,let me know where i'm doing wrong.
string cs = ConfigurationManager.ConnectionStrings["dbcs"].ConnectionString;
SqlConnection cn = new SqlConnection((cs));
cn.Open();
SqlCommand cmd = new SqlCommand("select * from Student_Details where Sid=#Sid", cn);
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
da.Fill(ds);
cmd.ExecuteNonQuery();
GridView1.DataBind();
Why you are executing query for select statement - cmd.ExecuteNonQuery(); not require..
You have to pass parameter value also
cmd.Parameters.AddWithValue("#sid", sid);
you missed this lines:
cmd.Parameters.AddWithValue("sid", User.Identity.Name)
and also cmd.ExecuteNonQuery(); is not necessary.
I have a simple code i am just trying to know if the given userid entered is already registered. So i write;
string a="somestring";
conn = new OracleConnection("Data Source=Home-PC;Persist Security Info=True;UserID=ali;Password=abc123;");
conn.Open();
OracleCommand cmd = new OracleCommand("select * from users where userid=#a", conn);
cmd.Parameters.AddWithValue("#a", a);
var data = cmd.ExecuteReader(); <-- Here it shows error *illegal variable name/number*
if (data.HasRows) return false;
else return true;
what am i doing wrong?
When you are using named parameters in an SQL statement referenced by an OracleCommand, you must precede the parameter name with a colon (:).
Try changing your command text from
OracleCommand cmd = new OracleCommand("select * from users where userid=#a", conn);
to
OracleCommand cmd = new OracleCommand("select * from users where userid = :a", conn);
cmd.Parameters.AddWithValue(":a", a);
and then execute you command as follows
OracleDataReader reader = cmd.ExecuteReader();
aspx
TextBox1.Text
World.aspx
TextBox1.Text
I want the pages Hello.aspx and World.aspx having same value of validation
please help me anybody have the idea about this
You need to save the value on the first page using cookies or database or something else.
Then retrieve the value in the second page and compare the values in the validation function or event.
using(SqlConnection cn = new SqlConnection(connStr))
{
using(SqlCommand cmd = new SqlCommand())
{
cmd.Connection = cn;
string sql = string.Format(#"select email from customers where customer_id = '{0}'", customer_id);
cmd.CommandType = CommandType.Text;
//try and catch block would go here
cmd.CommandText = sql;
cn.Open();
SqlDataReader rdr = cmd.ExecuteReader();
string email = rdr[0].ToString();
cn.Close();
}
}
I am using this code snippet to update values in my database :
SqlConnection con = new SqlConnection(#"Data Source=SAMA-PC\SQLEXPRESS;Initial Catalog=advCenter;Integrated Security=True");
string str = "sama#yahoo.com";
SqlCommand com2 = new SqlCommand("select [user_Account] from User in str where [user_Email]=sama#yahoo.com", con);
SqlCommand com = new SqlCommand("update User set [user_Account]=? WHERE [user_Email=#em]", con);
com.Parameters.AddWithValue("user_Account",str);
com.Parameters.AddWithValue("#em",str);
con.Open();
com.ExecuteNonQuery();
com2.ExecuteNonQuery();
con.Close();
but I get this error
Incorrect syntax near the keyword 'User'.
Line 40: com.ExecuteNonQuery();
"User" is a reserved word in SQL. Wrap the name of the table in square brackets to specify that it's the name of something:
[User]
Why are you using two separate SqlCommand objects?? Absolutely not needed..... I would try to either UPDATE or SELECT - don't mix two totally separate operations into a single call....
Also: you should use parametrized queries to avoid SQL injection attacks, and you should put your SqlConnection and SqlCommand objects into using blocks - try this:
string updateStmt =
"UPDATE dbo.[User] SET [user_Account] = #AccountValue WHERE [user_Email] = #UserEMail;";
using(SqlConnection con = new SqlConnection(#"Data Source=SAMA-PC\SQLEXPRESS;Initial Catalog=advCenter;Integrated Security=True"))
using(SqlCommand _cmd = new SqlCommand(updateStmt, con))
{
_cmd.Parameters.Add("#AccountValue", SqlDbType.VarChar, 100).Value = str;
_cmd.Parameters.Add("#UserEMail", SqlDbType.VarChar, 100).Value = str;
con.Open();
_cmd.ExecuteNonQuery();
con.Close();
}