0

This is my code inside my button Login Click. I would like to know How can I retrieve records from the database from the user that is currently logged in from any of the web forms that proceed the login form or what command do I insert into a select statement to be able to select the username of the current logged n user.

protected void btnLogin_Click(object sender, EventArgs e)
{
    var CS = ConfigurationManager.ConnectionStrings["TupperwareDemAppConnString1"].ConnectionString;

    using (SqlConnection con = new SqlConnection(CS))
    {
        var cmd = new SqlCommand(@"SELECT * FROM [USER] WHERE userName= @txtUserName AND userPassword= @txtuserPassword  ", con);
        cmd.Parameters.Add(new SqlParameter("@txtUserName", txtUsername.Text));
        cmd.Parameters.Add(new SqlParameter("@txtuserPassword", txtPassword.Text));
        con.Open();
        var sda = new SqlDataAdapter(cmd);
        var dt = new DataTable();
        sda.Fill(dt);

        if (dt.Rows.Count != 0)
        {
            if (CheckBox1.Checked)
            {
                Response.Cookies["UName"].Value = txtUsername.Text;
                Response.Cookies["Pword"].Value = txtPassword.Text;

                Response.Cookies["UName"].Expires = DateTime.Now.AddDays(15);
                Response.Cookies["PWord"].Expires = DateTime.Now.AddDays(15);
            }
            else
            {
                Response.Cookies["UName"].Expires = DateTime.Now.AddDays(-1);
                Response.Cookies["PWord"].Expires = DateTime.Now.AddDays(-1);

            }
        }
    }
}
Kadir
  • 3,094
  • 4
  • 37
  • 57
Tevin
  • 1
  • 5
  • You have more serious problems. Passwords should *never* be stored as cleartext. They should be salted, hashed multiple times using a cryptographically strong algorithm. Only the hash should be stored in the database. ASP.NET, all versions, have built-in authentication mechanisms that do this correctly. There's no reason to write your own code for this – Panagiotis Kanavos Apr 04 '19 at 10:33
  • And they never store the *username/password* as cookies on the browser. It's way too easy for malicious scripts to read that. It could be malware on the client's machine, or a Javascript injected into your site. – Panagiotis Kanavos Apr 04 '19 at 10:35
  • As for filtering data per user, if you use ASP.NET's authentication, you already know who the user is and can access it. [This SO question](https://stackoverflow.com/questions/5417125/how-to-get-current-user-whos-accessing-an-asp-net-application) has answers that show how this is done in both WebForms and MVC. – Panagiotis Kanavos Apr 04 '19 at 10:39

1 Answers1

-1

Store user id in any of the session variable (loggedInUserId) and passe it in where condition. you can get data into the datatable.

public void BindData()
{
        SqlDataAdapter sda = new SqlDataAdapter("SELECT * FROM [USER] WHERE userId='+ loggedInUserId +'", con);
        DataTable dt = new DataTable();
        sda.Fill(dt);
}
Panagiotis Kanavos
  • 120,703
  • 13
  • 188
  • 236
Nirav Vasoya
  • 356
  • 3
  • 18
  • Hello SQL injection. That's *worse* than what the OP posted, at least that code didn't allow SQL injection even though it stored the password as cleartext – Panagiotis Kanavos Apr 04 '19 at 10:31
  • In any case, ASP.NET already has authentication mechanisms, already provides the user's identity, even as properties in the `Request` or `HttpContext` object itself. – Panagiotis Kanavos Apr 04 '19 at 10:36