0

how to use one TextBox and multiple validations i tried this

private Boolean checkemail() // for checking email in database    
{
    SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);//sql connection string
    Boolean emailavailable = false;
    String myquery = "Select * from [test].[dbo].[MYFORM] where email='"+ TXTEmail.Text+"'";

    SqlCommand cmd = new SqlCommand();
    cmd.CommandText = myquery;
    cmd.Connection = conn;
    SqlDataAdapter da = new SqlDataAdapter();
    da.SelectCommand = cmd;
    DataSet ds = new DataSet(); //dataset
    da.Fill(ds);
    if (ds.Tables[0].Rows.Count > 0)
    {
        emailavailable = true;
    }
    conn.Close();
    return emailavailable;
}

c# code for the email check in database

Selim Yildiz
  • 5,254
  • 6
  • 18
  • 28
vishal bhagure
  • 13
  • 1
  • If you are hitting DB then its not Client Side validation...!! is it? – Prateek Shrivastava Feb 25 '20 at 05:50
  • 3
    What will happend if `TXTEmail` will contain `abc@example.com'; DROP DATABASE [test];--`? – vasily.sib Feb 25 '20 at 05:51
  • For general format validation you can use Regex in javascript. But if you want to validate stuff like Contact / Email already in use/registered. Then from the relevant case fire a async call to server and verify. – Prateek Shrivastava Feb 25 '20 at 05:52
  • @vasily.sib - Then....He prays that the code is running with lesser privileges :D – Prateek Shrivastava Feb 25 '20 at 05:53
  • You can validate while you are taking input from user I mean client side then you could cross check in back end as well – Md Farid Uddin Kiron Feb 25 '20 at 05:53
  • If you question is more of SQL - You can read about OR condition in SQL. – Prateek Shrivastava Feb 25 '20 at 05:56
  • Please see this question and change your code to avoid `SQL Injection` attacks. https://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work .For your validations, you can use `Data Annotations` if you are using `Model` based binding, otherwise use client-side validation using `JQuery` with `regex` – Rahul Sharma Feb 25 '20 at 05:58
  • TXTEmail is my textbox name where i should be able to check user's email or contact number and this is email or contact is present in my Database as test and my table name is myform – vishal bhagure Feb 25 '20 at 06:02

1 Answers1

0

First point: let's get back to the basics: js validation

Server side validation is performed by a web server, after input has been sent to the server.

Client side validation is performed by a web browser, before input is sent to a web server.

For example: Client side validation would include email formating (is it a valid email?) and checks like empty fields that the server needs etc.

Server side validation would check that the email is not yet used in another form by another user (like your case here) and it occurs in your backend system.

Second point: SqlInjection. As mentioned in the comments, use parameters for sql sanitization. It's a pretty basic exploit.

private Boolean checkemail() // for checking email in database    
{
    SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);//sql connection string
    Boolean emailavailable = false;
    String myquery = "Select * from [test].[dbo].[MYFORM] where email = @email";

    SqlCommand cmd = new SqlCommand();
    cmd.Parameters.Add("@email", SqlDbType.Text);
    cmd.Parameters["@email"].Value = TXTEmail.Text;
    cmd.CommandText = myquery;
    cmd.Connection = conn;
    SqlDataAdapter da = new SqlDataAdapter();
    da.SelectCommand = cmd;
    DataSet ds = new DataSet(); //dataset
    da.Fill(ds);
    if (ds.Tables[0].Rows.Count > 0)
    {
        emailavailable = true;
    }
    conn.Close();
    return emailavailable;
}

Third point: Multiple checks

If I understand what you are saying, you want to query with two parameters. Use the sql or operator like this:

String myquery = "Select * from [test].[dbo].[MYFORM] where email = @email or contact = @contact";
cmd.Parameters.Add("@email", SqlDbType.Text);
cmd.Parameters["@email"].Value = TXTEmail.Text;
cmd.Parameters.Add("@contact ", SqlDbType.Text);
cmd.Parameters["@contact "].Value = TXTEmail.Text;
Athanasios Kataras
  • 25,191
  • 4
  • 32
  • 61