c# - ASP.NET Login, invalid password - 


    con.open();     string mysql; // generate sql insert query database     mysql = "select 1 [users] username=? , password=?";     oledbcommand cmd = new oledbcommand(mysql, con);     cmd.parameters.addwithvalue("@p1", tbuser.text);     cmd.parameters.addwithvalue("@p2", tbpass.text);     cmd.executenonquery();     int temp = convert.toint32(cmd.executescalar().tostring());     if(temp==1)     {         session["login"] = lbluser.text;         lbllogin.text = "welcome " + lbluser.text + ", logged in.";     }     else     {         lbllogin.text = "invalid username/password!";     }     con.close();

error: syntax error in clause.

"oledbexception unhandled user code."

thanks.

edit

now closer there many things wrong code. standard practice check username/password combination in 1 shot:

mysql = "select 1 [user] username=? , password=?"; oledbcommand checkuser = new oledbcommand(mysql, con); // add oledbparameters here correct type/length checkuser.parameters.add("@username", oledbtype.char, 20).value = tbuser.text ; checkuser.parameters.add("@password", oledbtype.char, 20).value = tbpass.text ;  int temp = convert.toint32(checkuser.executescalar().tostring());

and adding parameters command username , password values. way hackers can't determine valid usernames without knowing password.

this block:

    mysql2 = "select * [user] password='" + tbpass.text + "'";     oledbcommand pass = new oledbcommand(mysql2, con);     string password = pass.executescalar().tostring();

will return first column form first row of result set. unless password first column in user table, you're not getting password back, you're getting other value.

it be:

    mysql2 = "select password [user] password='" + tbpass.text + "'";     oledbcommand pass = new oledbcommand(mysql2, con);     string password = pass.executescalar().tostring();

Comments

Post a Comment

Popular posts from this blog

c# - Operator '==' incompatible with operand types 'Guid' and 'Guid' using DynamicExpression.ParseLambda<T, bool> -

i'm using dynamic linq library , there source code , basic docu , nuget version pm> install-package dynamiclinq i'm trying construct clause involves guids i have tried string "id == @0" . parameter array object[] value ( guid xxxx ) var whereclausesb = buildlogicalkeywhereclause2(entity, logicalkey); //build string var parms = buildparamarray(entity, logicalkey); // object[] var wherelambda = ofsi.bos.core.dynamicexpression.parselambda<t, bool>(whereclausesb.tostring(),parms); //parse an exception thrown in dynamicexpression.parselambda operator '==' incompatible operand types 'guid' , 'guid' i have tried guid , string.(fail) i tried , "id = @0" (fail). string == string works, int32==int32 not guid == guid not any ideas? try using equals method instead of == operator in string: "id.equals(@0)"
Read more