-1

I am trying to store userid in session but failed to do so. Please view the code below:

String query = "select count (*) from USERINFO where USERID='" + textuserid.ToString() + "' and USERNAME='" + textusername.Text + "' and MVerifyPass='" + textpassword.Text + "'";

SqlCommand cmd = new SqlCommand(query, con);

String output = cmd.ExecuteScalar().ToString();

if (output == "1")
{
    Session["userid"] = textuserid;
    Session["User"] = textusername.Text;
    Response.Redirect("~/app/Dashboard.aspx");
}
else
{
    Response.Write("Your User ID and Password is wrong!");
}

How can I store the userid in the session and convert the varchar into int?

Any help will be highly appreciated.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
OZIE
  • 167
  • 9
  • 5
    Probably you have forgotten to use the property Value when using the textuserid HiddenFieldControl: Ie: _textuserid.Value.ToString()_. But this is not your main problem here. Concatenating strings in this way allows your user to type anything in these textboxes even valid sql commands that could wreak havoc with your database. Look at how Sql Injection is used and how a parameterized query fixes this great problem – Steve Feb 23 '19 at 20:36

1 Answers1

3

If your textuserid is an HiddenField control, then, when you apply ToString() to the variable name you get back the name of the class not the value of the control. And this is the reason behind your error message. The database engine sees a string like 'System.Web.UI.WebControls.HiddenField' when it expects an integer value.
This could be easily fixed using the Value property of the HiddenField control, but I recommend you to forget this approach and use a parameterized query.

String query = @"select count (*) from USERINFO 
                 where USERID=@uid and USERNAME=@name and MVerifyPass=@pass";
SqlCommand cmd = new SqlCommand(query, con);
cmd.Parameters.Add("@uid", SqlDbType.Int).Value = Convert.ToInt32(textuserid.Value);
cmd.Parameters.Add("@name", SqlDbType.NVarChar).Value = textusername.Text;
cmd.Parameters.Add("@pass", SqlDbType.NVarChar).Value = textpassword.Text;
String output = cmd.ExecuteScalar().ToString();
if (output == "1")
{
    Session["userid"] = textuserid.Value;
    Session["User"] = textusername.Text;
    Response.Redirect("~/app/Dashboard.aspx");
}
else
{
    Response.Write("Your User ID and Password is wrong!");
}

Parameterized queries are the only reasonable way to avoid Sql Injection and parsing errors

Steve
  • 213,761
  • 22
  • 232
  • 286
  • Thankyou @Steve! Its a great help and understanding that you have given. – OZIE Feb 23 '19 at 20:56
  • Now its giving an error "Input string was not in a correct format." – OZIE Feb 23 '19 at 20:59
  • Are you sure that textuserid contains a valid integer value? This happens with Convert.ToInt32 if the input is not a number (even a blank string is not a number) – Steve Feb 23 '19 at 21:03
  • Also I don't understand why you need the UserId check in your query. Usually, when checking for a valid account you verify only the username and the password because it is not allowed to have two accounts with the same username – Steve Feb 23 '19 at 21:06