| Author |
 Topic  |
|
|
unleashed-my-freedom
Starting Member
Singapore
5 Posts |
 Posted - 10/15/2011 : 20:55:58
|
string username = TextBox1.Text;
string password = TextBox2.Text;
OleDbConnection connection = null;
OleDbCommand command = null;
OleDbDataReader dataReader = null;
try
{
string connectionString = ConfigurationManager.ConnectionStrings["ChatDBConnectionString"].ConnectionString;
connection = new OleDbConnection(connectionString);
connection.Open();
//prepare sql statements
string sql = "SELECT * from Staff where username='" + username + "'And Password='" + password + "'";
command = new OleDbCommand(sql, connection);
dataReader = command.ExecuteReader();
while (dataReader.Read())
{
username = dataReader.GetString(3);
Session.Add("username", username);
}
dataReader.Close();
}
catch (Exception ex)
{
Response.Write(ex.Message);
}
//cleanup object
finally
{
if (connection != null)
connection.Close();
}
How do I change OLEdb to SQL connection?
judy |
|
|
GilaMonster
Flowing Fount of Yak Knowledge
South Africa
4507 Posts |
Posted - 10/15/2011 : 21:36:51
|
Assuming this is .Ney, look at the SQLDataClient class.
--
Gail Shaw
SQL Server MVP |
 |
|
|
unleashed-my-freedom
Starting Member
Singapore
5 Posts |
Posted - 10/16/2011 : 00:27:16
|
what do you mean?
judy |
|
|
|
visakh16
Very Important crosS Applying yaK Herder
India
47040 Posts |
|
|
GilaMonster
Flowing Fount of Yak Knowledge
South Africa
4507 Posts |
Posted - 10/16/2011 : 01:25:41
|
quote:
Originally posted by unleashed-my-freedom
what do you mean?
I mean 'open up the documentation, browse to the section on the SQLDataClient class and read up on that class'.
--
Gail Shaw
SQL Server MVP |
|
|
|
unleashed-my-freedom
Starting Member
Singapore
5 Posts |
Posted - 10/16/2011 : 02:05:21
|
string username = TextBox1.Text;
string password = TextBox2.Text;
SqlConnection connection = null;
SqlCommand command = null;
SqlDataReader dataReader = null;
try
{
string connectionString = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
connection = new SqlConnection(connectionString);
connection.Open();
//prepare sql statements
string sql = "SELECT * from Staff where username='" + username + "'And Password='" + password + "'";
command = new SqlCommand(sql, connection);
dataReader = command.ExecuteReader();
while (dataReader.Read())
{
username = dataReader.GetString(3);
Session.Add("username", username);
}
dataReader.Close();
}
catch (Exception ex)
{
Response.Write(ex.Message);
}
//cleanup object
finally
{
if (connection != null)
connection.Close();
}
Response.Redirect("./default.aspx");
}
I had tried changing from OLEdb to SQL. May I know if it is correct?
judy |
|
|
|
GilaMonster
Flowing Fount of Yak Knowledge
South Africa
4507 Posts |
Posted - 10/16/2011 : 02:23:37
|
Did you try it? Did it throw errors? Did you consult the documentation?
--
Gail Shaw
SQL Server MVP |
|
|
|
unleashed-my-freedom
Starting Member
Singapore
5 Posts |
Posted - 10/16/2011 : 02:39:27
|
Actually I had created a registration page for users to sign up an account and a database to store all the information such as username and password. I had also created a login page for users to login after creating an account. How do I link the database between these two pages?
judy |
|
|
|
GilaMonster
Flowing Fount of Yak Knowledge
South Africa
4507 Posts |
Posted - 10/16/2011 : 02:49:14
|
I just noticed something:
quote:
string sql = "SELECT * from Staff where username='" + username + "'And Password='" + password + "'";
This is an open invitation to SQL injection. You're asking to be hacked and hacked badly. That should be a stored procedure call and should be correctly parameterised. If it can't be a procedure, it should still be parameterised.
--
Gail Shaw
SQL Server MVP |
|
|
|
unleashed-my-freedom
Starting Member
Singapore
5 Posts |
Posted - 10/16/2011 : 03:05:47
|
What should I do to prevent it? I'm trying to logged in as a registered user but even the password is wrong, users are still able to logged in. How do I solve this error?
judy |
|
|
|
afrika
Flowing Fount of Yak Knowledge
Nigeria
2702 Posts |
Posted - 10/23/2011 : 04:51:56
|
well like gilamonster said, your code is very wrong ( bad practice ) to put the sql string like that.
I would advice you to either use LINQ, entity framework or a stored proceedure. See my post here
http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=166467 |
|
|
|
jassi.singh
Posting Yak Master
122 Posts |
Posted - 10/23/2011 : 05:19:54
|
definetly you have codded incorrectly, please post your code written on login click button.
Please mark answer as accepted if it helped you.
Thanks,
Jassi Singh |
|
|
|
afrika
Flowing Fount of Yak Knowledge
Nigeria
2702 Posts |
Posted - 10/23/2011 : 13:26:21
|
quote:
Originally posted by jassi.singh
definetly you have codded incorrectly, please post your code written on login click button.
Please mark answer as accepted if it helped you.
Thanks,
Jassi Singh
How do you mark as answer ? lol  |
|
|
| |
Topic |
|
database connection
