| Author |
Topic |
|
sharad.rk88
Starting Member
7 Posts |
 Posted - 2010-09-22 : 09:26:03
|
| i am new to sql programming. I was trying to create a webpage with a simple login form. The details of how i was trying to do it are specified below:1>I created a table called credentials with two tables username and password2>Then i used select statement in my asp .net page(using c#, connection and all are working fine) which matches the username in table credentials and retrieves the corresponding password value3>I used the sqldatareader to transfer the value retrieved to a string variable4>Say that variable is string 'ss', and the password entered while logging in is stored in string 'sd'(from textbox2.text) when i see the values of both the strings in messagebox they look alike. But when i match them using if(sd==ss) they dont match. The bool condition for ss.equals(sd) returns false. I am confused now. I need to know the reason and a solution for my problem. Thank you in advance for replying.--Sharad |
|
|
rohitvishwakarma
Posting Yak Master
232 Posts |
Posted - 2010-09-22 : 09:30:02
|
| can you please post the select statement? |
 |
|
|
sharad.rk88
Starting Member
7 Posts |
Posted - 2010-09-22 : 09:34:44
|
| select password from credentials where username="textbox1.text"and thanks for quick reply--Sharad |
|
|
|
rohitvishwakarma
Posting Yak Master
232 Posts |
Posted - 2010-09-22 : 09:36:52
|
| you are doing something like this:SELECT password FROM credentials WHERE username = textbox1.Text // Textbox1 for username textbox.string ss = password // used the sqldatareader to transfer the value retrieved to a string variable // Say that variable is string 'ss'string sd = textbox2.Text //and the password entered while logging in is stored in string 'sd'(from textbox2.text)<<when i see the values of both the strings in messagebox they look alike>>????? obviously both of them contains password.can you please post the C# code as well |
|
|
|
rohitvishwakarma
Posting Yak Master
232 Posts |
Posted - 2010-09-22 : 09:39:30
|
quote:
Originally posted by sharad.rk88
The bool condition for ss.equals(sd) returns false. Sharad
Check the code for Messagebox. maybe your are displaying one of the variables Twiceeg:alert('ss = '+ss+' sd = '+ss); |
|
|
|
rohitvishwakarma
Posting Yak Master
232 Posts |
Posted - 2010-09-22 : 09:41:34
|
| put a debug point at the statement if(sd==ss)in your code and check what values does ss & sd contains. |
|
|
|
sharad.rk88
Starting Member
7 Posts |
Posted - 2010-09-23 : 00:12:11
|
| i have called the message box twice with ss once and sd once... both show the same value... but when i try to match them they are not matching... thats why i am confused... i even tried ToString() function on the value retrieved from database! i am posting my C# code below.. Thanks for the help! SqlCommand cmd = new SqlCommand("Select password from credentials where username='" + TextBox1.Text + "'", con); SqlDataReader reader = cmd.ExecuteReader(); string s=""; bool sss = reader.HasRows; reader.Read(); s = reader.GetString(0); string ss = s.ToString(); string sd = TextBox2.Text; bool equal = ss.Equals(sd); messagebox(equal.ToString()); if (true) { string p1 = TextBox1.Text; Response.Redirect("default2.aspx?name=" + this.TextBox1.Text + ""); } else { messagebox(sd); messagebox(ss); messagebox("Login failed"); }--Sharad |
|
|
|
Ancy
Starting Member
23 Posts |
Posted - 2010-09-23 : 04:46:18
|
| trim ss and sd and then try to match them |
|
|
|
sharad.rk88
Starting Member
7 Posts |
Posted - 2010-09-23 : 05:38:16
|
| Hey Ancy, Great tip... worked like charm... now i could build my own email client.. thanks very much... great help!!--Sharad |
|
|
|
jezemine
Master Smack Fu Yak Hacker
2886 Posts |
Posted - 2010-09-23 : 08:31:47
|
1. don't store passwords in plain-text in a database. instead store a 1-way hash of the password, and only compare hashes.2. don't concat user input to make a sql statement, otherwise you are vulnerable to sql injection3. don't connect using sa, particularly if you are building a site vulnerable to sql injection!4. don't post your sa password on a public forum.
elsasoft.org |
|
|
|
blindman
Master Smack Fu Yak Hacker
2365 Posts |
Posted - 2010-09-24 : 16:53:48
|
| 5. Don't let your boss ever see this thread.________________________________________________If it is not practically useful, then it is practically useless.________________________________________________ |
|
|
|
|
String matching!