Dim con As SqlConnection
con = New SqlConnection("server=chinna; uid=sa; pwd=136018@h; database=icms")
con.Open()
Dim cmd As SqlCommand
cmd = New SqlCommand("select pass from personal where idno=" & TextBox1.Text, con)
cmd.CommandType = CommandType.Text
Dim rdr As SqlDataReader
rdr = cmd.ExecuteReader
If rdr.Read() Then
TextBox2.Text = rdr.ToString()
Response.Redirect("default.aspx")
Else
MsgBox("incorrect password")
-
4You have a SQL injection vulerability.SLaks– SLaks2011-04-29 14:21:39 +00:00Commented Apr 29, 2011 at 14:21
-
What problems are you facing? You give very little information altho you can already spot some error, but more information wouldn't be a bad thing.Ruben– Ruben2011-04-29 14:21:56 +00:00Commented Apr 29, 2011 at 14:21
-
3You should name your textboxes.SLaks– SLaks2011-04-29 14:23:05 +00:00Commented Apr 29, 2011 at 14:23
-
5Do not store passwords in plain text!SLaks– SLaks2011-04-29 14:24:07 +00:00Commented Apr 29, 2011 at 14:24
-
1I would also remove your username and password, I have done it, but it is forever in the history of this edits :(Dustin Laine– Dustin Laine2011-04-29 16:30:31 +00:00Commented Apr 29, 2011 at 16:30
|
Show 2 more comments
7 Answers
You need to use parameters in your query:
cmd = New SqlCommand("select pass from personal where idno=@param", con)
cmd.Parameters.AddWithValue("param", TextBox1.Text);
Comments
Use ExecuteScalar instead of ExecuteReader.
Dim password As String
password = cmd.ExecuteScalar.ToString()
FYI, storing passwords in plain text and comparing like this is VERY bad practice. You should be encrypting the passwords with some one-way salted encryption and then doing the same on verification then comparing the encrypted values.
2 Comments
Dustin Laine
Yes, but then you should be iterating through the reading, not just dumping it to a string.
pseudocoder
+1 for sticking to the answer and only commenting on the (OMG VERY) bad coding practices later.
You are missing the DataSource assignment.
Add GridView1.DataSource = rdr before you call DataBind.
Your If block should look like:
If rdr.Read() Then
GridView1.Visible = True
GridView1.DataSource = rdr
GridView1.DataBind()
End If
Comments
Should be
cmd = New SqlCommand("select pass from personal where idno='" & TextBox1.Text & "'", con)
beyond that code seems for ASP.net. We can not execute MsgBox in VB.net that can appear on client browser.
1 Comment
pstrjds
Putting in the quotes will make it work, but leaves a SQL injection attack vulnerability. If the text in the text box contains a ', then you could be in real trouble, i.e. the text "test';DROP TABLE personal;GO'"
use HasRows on rdr and set DataSourcefor GridView1
Dim rdr As SqlDataReader
rdr = cmd.ExecuteReader()
If rdr.HasRows Then
GridView1.Visible = True
GridView1.DataSource = rdr
GridView1.DataBind()
End If
Comments
What is your error or are you just getting a null for rdr?
I don't see an outpout paramenter. You need one. You only have an input parameter.
1 Comment
mellamokb
You don't need an output parameter to get the result of a SELECT query. The results of the query are the output.
- You need to somehow mark that the user was logged in, using a Session variable or a login identity. Otherwise, anyone can go to the logged in version of the page by simply navigating directly to it.
MsgBox(is not valid in asp.net, because it would display a message on the server, not on the client. Try using aLabelon the page to display error messages by setting its text.- What is the problem you are having? Does it just "not work"? Does it not validate your password correctly? Do you get an exception of some sort? Can you post the results?
