0

I am creating a web app in mvc 5 in my login form i have 2 textboxes, one button and one span in which if a user provide wrong information then the text should be visible

    <div style="margin-top:20px;">
        <span>
            <select style="width:275px; height:45px; font-size:15px; font-family:Verdana;" class="ddl">
                <option>Select Your Role</option>
                <option>Super Admin</option>
                <option>Admin</option>
                <option>Company</option>
                <option>Unit</option>
                <option selected="selected">Trainer</option>
                <option>Employee</option>
                <option>Partner Manager</option>
                <option>Regional Partner Manager</option>
                <option>Assistant Partner Manager</option>
                <option>Zonal Partner Manager</option>
                <option>LLT</option>
            </select>
        </span>
    </div>
<div class="col-xs-offset-0" style="margin-top:15px;">
    <span>
        <input type="text" id="txtusrname" class="ddl txtbo" style="width:275px; height:45px; font-size:15px; font-family:Verdana;" placeholder="Username" />
    </span>
</div>
<div class="col-xs-offset-0" style="margin-top:15px;">
    <span>
        <input type="text" class="ddl txtbo" id="txtpass" style="width:275px; height:45px; font-size:15px; font-family:Verdana;" placeholder="Password" />
    </span>
</div>
    <div class="imagediv" style="">

        <input id="btnerp" type="button" class="btn btn-default btnspacererp" style="" width="200" height="34" value="Login" />
    </div>
   <div class="" style="margin-top:20px; Width:auto; Height:34px; margin-left:-20px;">
   <span style="font-size:14px; visibility:hidden; font-family:Verdana; color:red;">Incorrect Login Credential!!!!</span> 
   </div>

and i am passing all login information from webservice and my webservice will check (dropdownlist, username and password) if the information provided by user that is(dropdownlist, username and password) is correct ten the page should redircted to welcome page or else it should show the span message

[WebMethod]
    public string getlogintype(string role, string username, string password)
    {
        SqlConnection con = new SqlConnection("connectionstring");
        List<object> login = new List<object>();
    if (role == "Admin" || role == "Super Admin")
    {
        SqlCommand cmd = new SqlCommand("select * from [admin] where userid='" + username + "' and pass ='" + password + "'", con);
        con.Open();
        SqlDataAdapter da = new SqlDataAdapter(cmd);
        DataTable dt = new DataTable();
        da.Fill(dt);
        if (dt.Rows.Count > 0)
        {
            fals = null;
            tru = "true";
            //HttpContext.Current.Session["tru"] = tru.ToString();
            // want to redirect to welcome page if condition satisfied.
        }
        else
        {
            tru = null;
            fals = "false";
            //want to show the label error message(declare as string errormsg)
        }
        con.Close();
    }
    else if (role == "Company")
    {
        SqlCommand cmd = new SqlCommand("select * from companydetails where comid='" + username + "' and pass='" + password + "'", con);
        con.Open();
        SqlDataAdapter da = new SqlDataAdapter(cmd);
        DataTable dt = new DataTable();
        da.Fill(dt);
        if (dt.Rows.Count > 0)
        {
            tru = "true";
        }
        else
        {
            fals = "false";
        }
        con.Close();
    }
    else if (role == "Unit")
    {
        SqlCommand cmd = new SqlCommand("select * from companyallot where email='" + username + "' and password='" + password + "'", con);
        con.Open();
        SqlDataAdapter da = new SqlDataAdapter(cmd);
        DataTable dt = new DataTable();
        da.Fill(dt);
        if (dt.Rows.Count > 0)
        {
            tru = "true";
        }
        else
        {
            fals = "false";
        }
        con.Close();
    }
    else if (role == "Trainer")
    {
        SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "'", con);
        con.Open();
        SqlDataAdapter da = new SqlDataAdapter(cmd);
        DataTable dt = new DataTable();
        da.Fill(dt);
        if (dt.Rows.Count > 0)
        {
            tru = "true";
        }
        else
        {
            fals = "false";
        }
        con.Close();
    }
    else if (role == "Employee")
    {
        SqlCommand cmd = new SqlCommand("select * from employee details where empid='" + username + "' and pass='" + password + "'", con);
        con.Open();
        SqlDataAdapter da = new SqlDataAdapter(cmd);
        DataTable dt = new DataTable();
        da.Fill(dt);
        if (dt.Rows.Count > 0)
        {
            tru = "true";
        }
        else
        {
            fals = "false";
        }
        con.Close();
    }
    else if (role == "Partner Manager")
    {
        SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "'", con);
        con.Open();
        SqlDataAdapter da = new SqlDataAdapter(cmd);
        DataTable dt = new DataTable();
        SqlDataReader dr = cmd.ExecuteReader();
        while (dr.Read())
        {
            strname = dr["empname"].ToString();
        }
        con.Close();
        con.Open();
        da.Fill(dt);
        if (dt.Rows.Count > 0)
        {
            SqlCommand cmdvalid = new SqlCommand("select comname from companydetails where pm='" + strname + "'", con);
            SqlDataAdapter davalid = new SqlDataAdapter(cmdvalid);
            DataSet ds = new DataSet();
            davalid.Fill(ds);
            if (ds.Tables[0].Rows.Count != 0)
            {
                tru = "true";
            }
            else
            {
                fals = "false";
            }
        }
        con.Close();
    }
    else if (role == "Regional Partner Manager")
    {
        SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "'", con);
        con.Open();
        SqlDataAdapter da = new SqlDataAdapter(cmd);
        DataTable dt = new DataTable();
        SqlDataReader dr = cmd.ExecuteReader();
        while (dr.Read())
        {
            strname = dr["empname"].ToString();
        }
        con.Close();
        con.Open();
        da.Fill(dt);
        if (dt.Rows.Count > 0)
        {
            SqlCommand cmdvalid = new SqlCommand("select trainer from rpmallot where trainer='" + strname + "'", con);
            SqlDataAdapter davalid = new SqlDataAdapter(cmdvalid);
            DataSet ds = new DataSet();
            davalid.Fill(ds);
            if (ds.Tables[0].Rows.Count != 0)
            {
                tru = "true";
            }
            else
            {
                fals = "false";
            }
        }
        con.Close();
    }
    else if (role == "Assistant Partner Manager")
    {
        SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "'", con);
        con.Open();
        SqlDataAdapter da = new SqlDataAdapter(cmd);
        DataTable dt = new DataTable();
        SqlDataReader dr = cmd.ExecuteReader();
        while (dr.Read())
        {
            strname = dr["empname"].ToString();
        }
        con.Close();
        con.Open();
        da.Fill(dt);
        if (dt.Rows.Count > 0)
        {
            SqlCommand cmdvalid = new SqlCommand("select apm from companydetails where apm='" + strname + "'", con);
            SqlDataAdapter davalid = new SqlDataAdapter(cmdvalid);
            DataSet ds = new DataSet();
            davalid.Fill(ds);
            if (ds.Tables[0].Rows.Count != 0)
            {
                tru = "true";
            }
            else
            {
                fals = "false";
            }
        }
        con.Close();
    }
    else if (role == "Zonal Partner Manager")
    {
        SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "'", con);
        con.Open();
        SqlDataAdapter da = new SqlDataAdapter(cmd);
        DataTable dt = new DataTable();
        SqlDataReader dr = cmd.ExecuteReader();
        while (dr.Read())
        {
            strname = dr["empname"].ToString();
        }
        con.Close();
        con.Open();
        da.Fill(dt);
        if (dt.Rows.Count > 0)
        {
            SqlCommand cmdvalid = new SqlCommand("select trainer from zonerpm where trainer='" + strname + "'", con);
            SqlDataAdapter davalid = new SqlDataAdapter(cmdvalid);
            DataSet ds = new DataSet();
            davalid.Fill(ds);
            if (ds.Tables[0].Rows.Count != 0)
            {
                tru = "true";
            }
            else
            {
                fals = "false";
            }
        }
        con.Close();
    }
    else if (role == "LLT")
    {
        SqlCommand cmd = new SqlCommand("select * from trainerdetails where trid='" + username + "' and pass='" + password + "' and type='" + role + "'", con);
        con.Open();
        SqlDataAdapter da = new SqlDataAdapter();
        DataTable dt = new DataTable();
        da.Fill(dt);
        if (dt.Rows.Count > 0)
        {
            tru = "true";
        }
        else
        {
            fals = "false";
        }
        con.Close();
    }
    string finalreturn = "";
    if(fals=="false")
    {
        finalreturn = fals.ToString();

    }
    else if(tru=="true")
    {
        finalreturn = tru.ToString();
    }
    return finalreturn.ToString();
}

}

this web service will return true if user information is true and false if the provided username,password or role is false then the information will be pass to the action result page where i have three string (username, password, role) i want to take all his login information in a session and redirect the user to welcome page

public ActionResult Login(string role, string username, string password)
{
    //required code
}

this is my actionresult, what i need to pass here to authenticate and redirect it to welcome page

  • From where you are calling `getlogintype()` ? – A_D Sep 26 '16 at 07:29
  • ` webservice.loginservice a= new webservice.loginservice(); a.getlogintype(role, username, password); return View();` @ADarnal this is how i am calling, please do correct me –  Sep 26 '16 at 12:25

2 Answers2

0
  1. You should use an ajax request to pass the form to the web service.
  2. If the webservice returns true, then submit the form to the controller.

Though most importantly, if your form is submitting directly to that method you posted, then it is open to sql injection meaning your validation routine isn't really secure even in the most basic sense.

Check out paramatised Sql Commands to close that vuln down.

Community
  • 1
  • 1
timkly
  • 793
  • 6
  • 14
  • sir @timkly how about passing from angular js? –  Sep 26 '16 at 08:38
  • I havent used angular but I assume it would be pretty straight forward and there should be an example on SO which demonstrates a POST to a server and then a redirect from the response – timkly Sep 27 '16 at 00:11
  • no I cant find anything on internet regarding this :/ –  Sep 27 '16 at 06:29
  • no offence but the internet is full of examples of how to post a form to URL with Angular, this is literally the first result on Google for 'angular post form' https://scotch.io/tutorials/submitting-ajax-forms-the-angularjs-way and it shows you how to do that. – timkly Sep 27 '16 at 06:58
0

Try this.Need to submit the form using Html.BeginForm and request is processed by the action method.From there(action method) call getlogintype().Based on the returned value of getlogintype() set message or string in ViewBag and pass that to view using ViewBag.Message.

  @using (Html.BeginForm("Login", "ControllerName", FormMethod.Post ))
          {
<div style="margin-top:20px;">
        <span>
            <select style="width:275px; height:45px; font-size:15px; font-family:Verdana;" class="ddl" name="roleSelect">
                <option>Select Your Role</option>
                <option>Super Admin</option>
                <option>Admin</option>
                <option>Company</option>
                <option>Unit</option>
                <option selected="selected">Trainer</option>
                <option>Employee</option>
                <option>Partner Manager</option>
                <option>Regional Partner Manager</option>
                <option>Assistant Partner Manager</option>
                <option>Zonal Partner Manager</option>
                <option>LLT</option>
            </select>
        </span>
    </div>
<div class="col-xs-offset-0" style="margin-top:15px;">
    <span>
        <input type="text" id="txtusrname" class="ddl txtbo" name="txtusrname" style="width:275px; height:45px; font-size:15px; font-family:Verdana;" placeholder="Username" />
    </span>
</div>
<div class="col-xs-offset-0" style="margin-top:15px;">
    <span>
        <input type="text" class="ddl txtbo" id="txtpass" name="txtpass" style="width:275px; height:45px; font-size:15px; font-family:Verdana;" placeholder="Password" />
    </span>
</div>
    <div class="imagediv" style="">

        <input id="btnerp" type="button" class="btn btn-default btnspacererp" style="" width="200" height="34" value="Login" />
    </div>
    <div style="margin-top:20px; Width:auto; Height:34px; margin-left:-20px;">

   <span style="font-size:14px;font-family:Verdana; color:red;">@ViewBag.Message</span> 
   </div>
}

Controller

public ActionResult Login()
        {

            return View();
        }


[HttpPost]
public ActionResult Login(FormCollection form)
{
    string role = form["roleSelect"];
    string username = form["txtusrname"];
    string password = form["txtpass"];
    webservice.loginservice a= new webservice.loginservice()
    string xyz = a.getlogintype(role, username, password);
    if(xyz== "true")
    {
      return RedirectToAction("Welcome_ActionMethod", "Welcome_Controller");

    }
   else
    {
      ViewBag.Message = "Incorrect Login Credential!!!!";
       return View();
    }  
}
A_D
  • 189
  • 1
  • 8