0

I'm trying to write an asp.net code in C# which will basically have a login page with username and pass. If I enter username and pass as "admin" it will open the Admin.aspx.

Likewise for "employee" it's employee.aspx and for "manager" it's manager.aspx.

I have written quite a bit but stuck at the end.. please help how to open the appropriate page.. The username and password are stored in a database and I have to match it with the database

protected void Button1_Click(object sender, EventArgs e)
{
     SqlConnection con = new SqlConnection("Data Source=(local);Initial Catalog=payroll;Integrated Security=True");
     SqlCommand cmd = new SqlCommand("Select employeeid FROM employees WHERE username='" + TextBox1.Text + "'and password='"+TextBox2.Text+"'", con);

     cmd.CommandType = CommandType.Text;
     cmd.Parameters.AddWithValue("@username", TextBox1.Text);
     cmd.Parameters.AddWithValue("@password", TextBox2.Text);

     con.Open();

     SqlDataReader dr = cmd.ExecuteReader();

     if (dr.Read())                         //I'M WRONG FROM HERE ONWARDS.
     {
        Response.Redirect("Admin.aspx"); 
     }

     con.Close();
     dr.Close();
}
Improve this question

3 Answers 3

Reset to default
2

You should:

  • REALLY use parametrized query to avoid SQL injection and other messy business
  • put all your disposable objects like SqlConnection and SqlCommand into using(...) { ... } blocks
  • read both the employeeid and the role of the employee to make the decision where to jump off to
  • avoid using AddWithValue which has its drawbacks (see )
  • ALSO: you should NOT store your passwords in CLEAR TEXT in your table! You should ALWAYS hash & salt your password - no exception

Try this code:

protected void Button1_Click(object sender, EventArgs e)
{
    // define your connection string (typically from a .config file) and your query WITH parameters!
    string connectionString = "Data Source=(local);Initial Catalog=payroll;Integrated Security=True";
    string query = "SELECT employeeid, role FROM employees WHERE username=@user AND and password=@pwd;";

    // set up a connection and command in using() blocks
    using (SqlConnection con = new SqlConnection(connectionString))
    using (SqlCommand cmd = new SqlCommand(query, con))
    {
        // add parameters and set their values
        cmd.Parameters.Add("@user", SqlDbType.VarChar, 50).Value = TextBox1.Text;
        cmd.Parameters.Add("@pwd", SqlDbType.VarChar, 50).Value = TextBox2.Text;

        // open connection
        con.Open();

        // establish data reader
        using (SqlDataReader dr = cmd.ExecuteReader())
        {
            // if at least one row is returned....  
            if (dr.Read()) 
            {  
                // get employee ID and role from the reader
                string employeeId = dr.GetFieldValue<string>(0);
                string role = dr.GetFieldValue<string>(1);

                // depending on role, jump off to various pages
                switch (role)
                {
                    case "admin":
                       Response.Redirect("Admin.aspx"); 
                       break;

                    case "manager":
                       Response.Redirect("manager.aspx"); 
                       break;

                    default:
                       Response.Redirect("employee.aspx"); 
                       break;
                    }
                } 
                else
                {
                   // what do you want to do if NO ROW was returned? E.g. user/pwd combo is wrong
                }

            dr.Close();
        }    

        con.Close();
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You need one extra thing and that is dropdown list and that dropdown will be used to specify user type.

Or better would be if you have separate page for each login type.

Improve this answer

2 Comments

yes I can do with the dropdown menu..I was trying this so it would do it automatically.....
then just do what u are doing. and when you authenticate against db, at that time also get role and based on that redirect to respective page
1 
if (dr.Read()){                         
  if(dr.HasRow()){
    if(dr["username"].ToLower() == "admin"){ 
        Response.Redirect("Admin.aspx");
    }else if (dr["username"].ToLower() == "manager") {
        Response.Redirect("manager.asp");
    }//and more else if   
  }                                                

}
Improve this answer

3 Comments

okay trying this..just a question though..with your code- if(dr["username"].ToLower() == "admin") it is only checking the username...do i have to do the password check here by using && dr["password"] ? or it will be done by the query itself?
Hm, you should check dr.HasRow() just before Ifs. If it returns true means username and password combination is true.
okay..so do i need the cmd.CommandType = CommandType.Text; cmd.Parameters.AddWithValue("@username", TextBox1.Text); cmd.Parameters.AddWithValue("@password", TextBox2.Text); ??

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.