Checking database for username and password

Question

I'm creating a website using asp.net. So far, I have a registration page finished which saves details to a database table.

How would I check if a username and password is in that table, then allow them to proceed to the next page?

Here is my code for registration;

SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["userinfo.ConnectionString"].ConnectionString);
conn.Open();

string insertQuery = "INSERT INTO [user] (UserName, FirstName, LastName, Email, Password, Country) VALUES (@uname, @fname, @lname, @email, @password, @country)";

SqlCommand comm = new SqlCommand(insertQuery, conn);

comm.Parameters.AddWithValue("@uname", usernametextbox.Text);
comm.Parameters.AddWithValue("@fname", fnametextbox.Text);
comm.Parameters.AddWithValue("@lname", lnametextbox.Text);
comm.Parameters.AddWithValue("@email", emailtextbox.Text);
comm.Parameters.AddWithValue("@country", DropDownListcountry.Text);
comm.Parameters.AddWithValue("@password", passwordtextbox.Text);

comm.ExecuteNonQuery();

conn.Close();

I'm guessing I'd need to create a SELECT query, with an if-statement maybe?

You would query the database ... or [Introduction to Membership](http://msdn.microsoft.com/en-us/library/yh26yfzy%28v=vs.100%29.aspx) — Alex K., Dec 03 '14 at 15:58
This is duplicate please check the link http://stackoverflow.com/questions/17871307/check-database-for-username-or-password-oleddb-connection — prasy, Dec 03 '14 at 15:58
Side note, you should [wrap your SqlConnection in a using statement](http://stackoverflow.com/questions/18588049/sqlconnection-close-inside-using-statement). — mason, Dec 03 '14 at 16:05
You haven't given a reason for recreating something Microsoft has already created (3 times at least now). Instead, I'd recommend reading the tutorials for your chosen platform: [WebForms](http://www.asp.net/web-forms/overview/security), [MVC](http://www.asp.net/mvc/overview/security), or [Web Pages](http://www.asp.net/web-pages). Additionally, you should literally *never* store a password in plain-text. — Erik Philips, Dec 03 '14 at 16:07

score 0 · Answer 1 · answered Dec 03 '14 at 16:19

Kris,

You are getting down-votes on this question because you are asking something that you could VERY easily figure out on your own using Google.

That being said, yes, you are correct that you will need to use a SELECT statement. I'm not going to give you the exact .NET or SQL syntax as that would rob you of the learning experience. But, figure out how to do a SELECT COUNT query. You basically want to count the number of rows that already exist with the username and password supplied. Instead of using ExecuteNonQuery, you would use ExecuteScalar, which returns a single value.

Then in your .NET code, you would look at that count value that is returned. If it's 0, proceed. If it's more than 0, do something else.

All that being said, .NET has some built-in tools that do ALL of this work for you. Find them and use them!

In the future, try to spend more time doing some research on your own before coming here and asking for help.

Good luck!

:-) Well, I see someone else already gave you the exact syntax, along with the name of the built in .NET tools (ASP Membership). Too bad. Learning on your own would have been more of a help to you. — Casey Crookston, Dec 03 '14 at 16:21

score 0 · Answer 2 · answered Dec 06 '14 at 22:40

If you use textboxes in login page for username and password.

      string connectionstring = WebConfigurationManager.ConnectionStrings["userinfo.ConnectionString"].ConnectionString;
                string sqlstring;
                sqlstring = "Select UserName,Password from user  where UserName='" + 
Texboxusername.Text + "' and Password ='" + Textboxpassword.Text + "'";

                SqlConnection con = new SqlConnection(connectionstring);
                SqlCommand command = new SqlCommand(sqlstring, con);

                System.Data.SqlClient.SqlDataReader reader;

                // open a connection with sqldatabase
                con.Open();

                reader = command.ExecuteReader();

                if (reader.Read())//Reader.read() true if found in database
                {

        Response.Redirect("userHome.aspx");
        }
        con.close();

Second Solution is using Form Authentication.Add Login from toolbox to your login design page.Click it twice.İnside of it same code but instead Texboxusername.Text and Textboxpassword.Text use the Login.Username and Login.Password.

 if (reader.Read())
{ e.Authenticated = true;}
else{e.Authenticated=false;}

Lastly in Web.config add this inside somewhere <system.web> .. </system.web>;

   <forms loginUrl="login.aspx" defaultUrl="userHome.aspx" timeout="60"/>
    </authentication>
    <authorization>
      <deny users="?"/>
    </authorization>

After authenticated user will redirect automatically to defaultUrl and people can only access from loginUrl thanks to . And if you ever have an error about UnobtrusiveValidationMode. Add this inside <configuration>... </configuration>;

<add key="ValidationSettings:UnobtrusiveValidationMode" value="none"/>

Well i agree with Casey.Obviously you dont want to force yourself to learn but want to see result.But i like to give direct solutions because i am still a little and was lazy :p — YourSolutionPartner, Dec 06 '14 at 23:13

Checking database for username and password

2 Answers2