0

im having a simple login page which i have created using asp.net c#. What im trying to do is retrieve the user level and assign it to a session and redirect to the appropriate page based on the level. But when i login nothing happens.. below is my code. can someone tell me what is wrong with my code?

 con.Open();
        com.CommandText = "Select * from deatls Where c_id = '" + TextBox1.Text + "' and password = '" + TextBox2.Text + "'";
        com.CommandType = CommandType.Text;
        com.Connection = con;

        SqlDataReader sqlread = com.ExecuteReader();


        if (sqlread.Read())
        {
            Session["level"] = sqlread["level"];   
        }


        if ((int)Session["level"] == '1') 

            Response.Redirect("customer_menu.aspx");

        if ((int)Session["level"] == '2' )

            Response.Redirect("front.aspx");

        if  ((int)Session["level"] == '3')

            Response.Redirect("manager.aspx");

        else  
            Response.Redirect("login.aspx");

        con.Close();
Improve this question
4
  • 2
    That is some really security flawed SQL code. Please don't use that in production, it is exactly what hackers try to do SQL Injection Attacks. Commented Jul 11, 2013 at 17:46
  • 1
    Why not step through it with a debugger, check what the query is returning, check Session["level"] gets assigned etc. Commented Jul 11, 2013 at 17:53
  • @LiveEn: What will happen if sqlread.Read() returns false? You need to test that case. Commented Jul 11, 2013 at 21:38
  • BTW, LiveEn...you should really take a look at the built in security features of ASP.NET Walkthrough: Using Forms Authentication in ASP.NET MVC. You are essentially rolling your own users and roles framework here. If you want to, as a learning exercise, then so be it. But there are better ways. Commented Jul 11, 2013 at 21:47

2 Answers 2

Reset to default
2

Your code is begging for a switch statement, like this:

switch (Session["level"].ToString())
{
    case "1":
        Response.Redirect("customer_menu.aspx");
        break;
    case "2":
        Response.Redirect("front.aspx");
        break;
    case "3":
        Response.Redirect("manager.aspx");
        break;
    default:
        Response.Redirect("login.aspx");
        break;
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I totally agree. I would certainly use a switch statement here.
1

For starters you are casting Session["level"] to an int and then checking for equality with a string (or attempting to). Secondarily you are using single quotes for the values you want to check. Does this code compile? Do you have exception handling? My guess is that it errors and does not run at all. Can you post the full code?

TheGeekYouNeed is right. You should first try removing the single quotes from the integer values you want to check.

Improve this answer

4 Comments

op is checking int against a char not a string
Also, this type of user auth query is typically avoided due to the possibility of SQL injection. You should read up a bit on that.
The single quotes need removed since the value is being casted to an int.
The single quotes was the mistake,, fixed it now... Thanks :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.