1

The code does connect to the database and actually check the username(number) and then exception runs when it has to get to verifying the password and a null reference is thrown

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;

public partial class _Default : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }

    protected void btnLogin_Click(object sender, EventArgs e)
    {
        SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["Intellicell_CallCentreConnectionString"].ConnectionString);
        conn.Open();

        string checkuser = "SELECT COUNT(*) FROM Debtors WHERE MobilePhone='" + txtMobilePhone.Text + "'";
        SqlCommand cmd = new SqlCommand(checkuser, conn);

        int temp = Convert.ToInt32(cmd.ExecuteScalar().ToString());
        conn.Close();
        if (temp == 1)
        {
            conn.Open();
            string CheckPasswordQuery = "SELECT IDNumber from Debtors WHERE MobilePhone='" + txtPassword.Text + "'";
            SqlCommand passCmd = new SqlCommand(CheckPasswordQuery, conn);
            string password =  passCmd.ExecuteScalar().ToString().Replace(" ","");
            conn.Close();
            if (password == txtPassword.Text)
            {
                Session["New"] = txtMobilePhone.Text;
                Response.Write("Password is correct!");
                Response.Redirect("Home.aspx");
            }
            else
            {
                Response.Write("Password is not correct!");
            }
        }
        else
        {
            Response.Write("Please Provide valid Login details!");
        }
    }
}

it is on line 

string password =  passCmd.ExecuteScalar().ToString().Replace(" ","");

that it breaks.

klashar
  • 2,519
  • 2
  • 28
  • 38
Tumelo
  • 49
  • 9
  • Are you sure your query returns `IDNumber`? Have you ever tried this query in sql server? Looks like it does **not** and that's why `ExecuteScalar` returns `null` and `ToString` throws NRE. Also you should always use [parameterized queries](http://blog.codinghorror.com/give-me-parameterized-sql-or-give-me-death/). This kind of string concatenations are open for [SQL Injection](http://en.wikipedia.org/wiki/SQL_injection) attacks. Use `using` statement to dispose your connection and command as well. – Soner Gönül Nov 06 '15 at 08:40
  • 1
    As a final thing, **do not store your passwords as a plain text**. Read: [Best way to store password in database](http://stackoverflow.com/q/1054022/447156) – Soner Gönül Nov 06 '15 at 08:43
  • Soner, appreciate the links for the SQL Injection post. ;) – Tumelo Nov 06 '15 at 09:06
  • Soner, I wish i could upvote your comment a thousand times. Way too few people realize the importance of this. – Nzall Nov 06 '15 at 10:12
  • @NateKerkhofs Exactly. People should use these points as a best practice _all the time_. – Soner Gönül Nov 06 '15 at 10:23

3 Answers3

0

I suggest you if you want write sql adhoc, use string.format

It's clean

string checkuser = string.Format("SELECT COUNT(*) FROM Debtors WHERE MobilePhone={0},txtMobilePhone.Text);

Secondly, you can use using syntax , in order to clean your connection properly

Aghilas Yakoub
  • 28,516
  • 5
  • 46
  • 51
0

I think, In the second sql you are using txtPassword.Text instead of txtMobilePhone.Text

Serif Emek
  • 674
  • 5
  • 13
  • reason it points to the mobile one is cause it makes sure that its the same user that it matched the username too. – Tumelo Nov 06 '15 at 09:05
  • Then exception means it didn't. So it should be part of your control logic. Your check in first SQL doesnt guarante you will find a row because you are comparing same field with different values. You may need to review password check part. – Serif Emek Nov 06 '15 at 09:10
0

The question is why are you getting the null execption, see this: https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.executescalar(v=vs.110).aspx

In summary ExecuteScaler returns a null (not a DBNull) if no rows are found, whence passCmd.ExecuteScalar().ToString().Replace(" ",""); null refences as its null.ToString()

You global logic looks flawed so hard to suggest exactly what to do, but passCmd.ExecuteScalar()?.ToString().Replace(" ","") will suppress the exeception.

tolanj
  • 3,651
  • 16
  • 30