0

I am having a problem getting HTML input values using C# for a Login page. I have had luck using just a regular ASP element, but not so much with pure HTML.

I am trying to have the C# grab the username input and password from the html form to then send as a string to a MySQL db proc. If the username/password combination does not exist, I am trying to redirect back to the Login.aspx page and if it does "google.com". The username and password are also saved in a session.

My HTML looks like the following:

<form action="Login.aspx.cs" runat="server" method="post">
            <input type="text" name="un" pattern="a[0-9]{6}" required="required" placeholder="a000000"/><br />
            <input type="password" name="pw"  required="required" /><br />
            <asp:Button ID="Button1" Text="text" runat="server" OnClick="Login1_Authenticate" />
</form>

And my C# looks like the following:

using System;
using System.Data;
using System.Data.SqlClient;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;


public partial class Login : System.Web.UI.Page
{
    int status;
    int role;
    protected void Page_Load(object sender, EventArgs e)
    {

    }

    public void Login1_Authenticate(object sender, AuthenticateEventArgs e)
    {

        //// create an open connection
        SqlConnection conn =
            new SqlConnection("Data Source=MachineName;"
            + "Initial Catalog=DBName;"
            + "User ID=Usr ;Password=Password");

        conn.Open();

        string userName = Page.Request.Form["un"].ToString();
        string pw = Page.Request.Form["pw"].ToString();
        //userName = Convert.ToString(Console.ReadLine());


        //// create a SqlCommand object for this connection
        SqlCommand command = conn.CreateCommand();
        command.CommandText = "EXEC dbo.SP_CA_CHECK_USER @USER_ID = '" + userName + "', @PASSWORD = '" + pw + "'";
        command.CommandType = CommandType.Text;

        //// execute the command that returns a SqlDataReader
        SqlDataReader reader = command.ExecuteReader();

        //// display the results
        while (reader.Read())
        {
            status = reader.GetInt32(0);
        }

        //// close first reader
            reader.Close();


            if (status == 0)
            {
                //login
                Session["userID"] = userName;
                command.CommandText = "EXEC dbo.SP_CA_RETURN_USER_ROLE @USER_ID = '" + userName + "'";
                reader = command.ExecuteReader();
                while (reader.Read())
                {
                    role = reader.GetInt32(0);
                }

                Session["roleID"] = role;

                if (Session["userID"] != null)
                {
                    string userID = (string)(Session["userID"]);
                    // string roleID = (string)(Session["roleID"]);
                }
                Response.Redirect("http://www.microsoft.com");
            }
            else
            {
                //wrong username/password
                Response.Redirect("http://www.microsoft.com");
            }



            // close the connection
            reader.Close();
            conn.Close();

    }
}
Improve this question
1
  • Add an id attribute to your input fields. id="un" and id="pw" Commented Jul 7, 2014 at 20:05

1 Answer 1

Reset to default
2

You have to do several things:

  1. Change the form action to Login.aspx, not to the code behind file (.cs)

  2. Remove the runat="server" from the form. It doesn't harm, but it would make sense only if your <form> tag had to be rendered on server side, and that's not the case: it's pure HTML. It would make sense if, for example, some of the <form> attributes depended on server code.

  3. Use a simple <input type="submit" value="Login button caption"> button to POST the form.

  4. Implement the code in the Page_Load event, but only if IsPostback is true (that means that the page is being rendered in response to a POST request).

Explanation: if you post a form in the standard way to the .aspx file, its code behind will run. If the login form is requested for the first time, for example by typing its URL in the browser, the request is a GET and the server must send the empty form to the browser. But, if the user clicks the submit button, it is a POST request, and the code behind must try to login the user. To differentiate between GET and POST you can use the IsPostback property: if it's true, it's a POST. If not, it's a get. You can do that directly in the Page_Load event.

In the case where the user has entered the wrong username and password, you must return the original form to get the user a new chance to login. As you're using standard HTML controls, there is no ViewState. That means that the posted un value (user name), will be lost, unless you set it back on the server before sending the form to the user. You can use the <% = %> syntax to set the input value attribute, so that the entered user name is returned to the browser.

Take into account that mixing up pure HTML and server controls can get tricky. If you take a path, you'd better follow it, and don't mix things up, unless you know very well what you're doing. So, in my explanation I'm only using pure standard HTML / HTTP approach.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.