0

I'm trying to create a Registration Page using Webforms that'll connect to a MySQL databse and insert the data, but it throws up an ArgumentException (even though I believe I'm following my tutorial exactly) and will not insert the data into the table.

My C# code for the Registration page is thus:

 public partial class Registration : System.Web.UI.Page
{
    MySql.Data.MySqlClient.MySqlConnection conn;
    MySql.Data.MySqlClient.MySqlCommand cmd;
    String queryStr;
    protected void Page_Load(object sender, EventArgs e)
    {

    }
    protected void registerEventMethod(object sender, EventArgs e)
    {
        registerUser();
    }

    private void registerUser()
    {
        String connString =
System.Configuration.ConfigurationManager.ConnectionStrings["WebAppConnString"].ToString();

        conn = new MySql.Data.MySqlClient.MySqlConnection(connString);
        conn.Open();
        queryStr = "";

        queryStr = "INSERT INTO seniorschema.registration (Password1, Email, FirstName, LastName, Password2, Code)" +
            "VALUES('" + PasswordTextBox1.Text +"','"+ EmailTextbox.Text +"','"+ firstNameTextBox.Text+"','"+ LastNameTextBox.Text + "' ,'"+ PasswordTextBox2.Text +"', '"+ CodeTextBox.Text + "'  )";
        cmd = new MySql.Data.MySqlClient.MySqlCommand(queryStr, conn);

        cmd.ExecuteReader();

        conn.Close();
    }
}

And my connection in the WebConfig file is here:

<connectionStrings>
<add name="WebAppConnString"
     connectionString="server=localhost;ID=webuser;pwd=password;database=seniorschema;"
     providerName="MySql.Data.MySqlClient"/>
</connectionStrings>

Any Help would be most appreciated. Thanks!

Holly Snyder
  • 1
  • 2
  • 1
    Which line throws the exception? Also, if you're following the tutorial *exactly* then you should know that it's a *terrible* tutorial. The code you've written is wide open to SQL injection attacks, stores user passwords in plain text, etc. – David Oct 08 '14 at 16:31
  • Please study this: http://en.wikipedia.org/wiki/SQL_injection – n8wrl Oct 08 '14 at 17:08

1 Answers1

3

I don't know what tutorial you are reading but they should never teach to use string concatenation when building an sql command text.

However, the error you get is from the connectionstring.
You should write

String connString =ConfigurationManager.ConnectionStrings["WebAppConnString"].ConnectionString;

There is also an error in the definition of the connectionstring in the web.config ( a typo?) It is Uid=.... not ID=....

And here how I would write the code that add the record.

using MySql.Data.MySqlClient;

....

queryStr = @"INSERT INTO seniorschema.registration 
            (Password1, Email, FirstName, LastName, Password2, Code)
            VALUES(@pwd, @email, @first, @last, @pwd2, @code";

using(MySqlConnection conn = new MySqlConnection(connString))
using(MySqlCommand cmd = new MySqlCommand(queryStr, conn))
{
    conn.Open();
    cmd.Parameters.AddWithValue("@pwd",PasswordTextBox1.Text);
    cmd.Parameters.AddWithValue("@email",EmailTextbox.Text );
    cmd.Parameters.AddWithValue("@first",firstNameTextBox.Text);
    cmd.Parameters.AddWithValue("@last",LastNameTextBox.Text );
    cmd.Parameters.AddWithValue("@pwd2",PasswordTextBox2.Text );
    cmd.Parameters.AddWithValue("@code",CodeTextBox.Text);
    int rowAdded = cmd.ExecuteNonQuery();
}

This approach remove the string concatenation with all the complexities required to correctly code the quotes around the values, also removes any possibility of Sql Injection

Finally, but this is really an argument too broad and not immediately linked to your question.
It is a bad practice, from a security standpoint, to store passwords in clear text. If someone could get a copy of or read the registration table, he/she will be able to read the passwords of all users registered. There are proven methods that store an hash of the password to make them unreadable to onlookers

Community
  • 1
  • 1
Steve
  • 213,761
  • 22
  • 232
  • 286