C# – How to validate username and password using ASP.NET and SQL Server

asp.netc

I'm trying to write an asp.net code in C# which will basically have a login page with username and pass. If I enter username and pass as "admin" it will open the Admin.aspx.

Likewise for "employee" it's employee.aspx and for "manager" it's manager.aspx.

I have written quite a bit but stuck at the end.. please help how to open the appropriate page.. The username and password are stored in a database and I have to match it with the database

protected void Button1_Click(object sender, EventArgs e)
{
     SqlConnection con = new SqlConnection("Data Source=(local);Initial Catalog=payroll;Integrated Security=True");
     SqlCommand cmd = new SqlCommand("Select employeeid FROM employees WHERE username='" + TextBox1.Text + "'and password='"+TextBox2.Text+"'", con);

     cmd.CommandType = CommandType.Text;
     cmd.Parameters.AddWithValue("@username", TextBox1.Text);
     cmd.Parameters.AddWithValue("@password", TextBox2.Text);

     con.Open();

     SqlDataReader dr = cmd.ExecuteReader();

     if (dr.Read())                         //I'M WRONG FROM HERE ONWARDS.
     {
        Response.Redirect("Admin.aspx"); 
     }

     con.Close();
     dr.Close();
}

Best Answer

You should:

REALLY use parametrized query to avoid SQL injection and other messy business
put all your disposable objects like SqlConnection and SqlCommand into using(...) { ... } blocks
read both the employeeid and the role of the employee to make the decision where to jump off to
avoid using AddWithValue which has its drawbacks (see )
ALSO: you should NOT store your passwords in CLEAR TEXT in your table! You should ALWAYS hash & salt your password - no exception

Try this code:

protected void Button1_Click(object sender, EventArgs e)
{
    // define your connection string (typically from a .config file) and your query WITH parameters!
    string connectionString = "Data Source=(local);Initial Catalog=payroll;Integrated Security=True";
    string query = "SELECT employeeid, role FROM employees WHERE username=@user AND and password=@pwd;";

    // set up a connection and command in using() blocks
    using (SqlConnection con = new SqlConnection(connectionString))
    using (SqlCommand cmd = new SqlCommand(query, con))
    {
        // add parameters and set their values
        cmd.Parameters.Add("@user", SqlDbType.VarChar, 50).Value = TextBox1.Text;
        cmd.Parameters.Add("@pwd", SqlDbType.VarChar, 50).Value = TextBox2.Text;

        // open connection
        con.Open();

        // establish data reader
        using (SqlDataReader dr = cmd.ExecuteReader())
        {
            // if at least one row is returned....  
            if (dr.Read()) 
            {  
                // get employee ID and role from the reader
                string employeeId = dr.GetFieldValue<string>(0);
                string role = dr.GetFieldValue<string>(1);

                // depending on role, jump off to various pages
                switch (role)
                {
                    case "admin":
                       Response.Redirect("Admin.aspx"); 
                       break;

                    case "manager":
                       Response.Redirect("manager.aspx"); 
                       break;

                    default:
                       Response.Redirect("employee.aspx"); 
                       break;
                    }
                } 
                else
                {
                   // what do you want to do if NO ROW was returned? E.g. user/pwd combo is wrong
                }

            dr.Close();
        }    

        con.Close();
    }
}

Related Solutions

C# – How to create an Excel (.XLS and .XLSX) file in C# without installing Microsoft Office

You can use a library called ExcelLibrary. It's a free, open source library posted on Google Code:

ExcelLibrary

This looks to be a port of the PHP ExcelWriter that you mentioned above. It will not write to the new .xlsx format yet, but they are working on adding that functionality in.

It's very simple, small and easy to use. Plus it has a DataSetHelper that lets you use DataSets and DataTables to easily work with Excel data.

ExcelLibrary seems to still only work for the older Excel format (.xls files), but may be adding support in the future for newer 2007/2010 formats.

You can also use EPPlus, which works only for Excel 2007/2010 format files (.xlsx files). There's also NPOI which works with both.

There are a few known bugs with each library as noted in the comments. In all, EPPlus seems to be the best choice as time goes on. It seems to be more actively updated and documented as well.

Also, as noted by @АртёмЦарионов below, EPPlus has support for Pivot Tables and ExcelLibrary may have some support (Pivot table issue in ExcelLibrary)

Here are a couple links for quick reference:
ExcelLibrary - GNU Lesser GPL
EPPlus - GNU (LGPL) - No longer maintained
EPPlus 5 - Polyform Noncommercial - Starting May 2020
NPOI - Apache License

Here some example code for ExcelLibrary:

Here is an example taking data from a database and creating a workbook from it. Note that the ExcelLibrary code is the single line at the bottom:

//Create the data set and table
DataSet ds = new DataSet("New_DataSet");
DataTable dt = new DataTable("New_DataTable");

//Set the locale for each
ds.Locale = System.Threading.Thread.CurrentThread.CurrentCulture;
dt.Locale = System.Threading.Thread.CurrentThread.CurrentCulture;

//Open a DB connection (in this example with OleDB)
OleDbConnection con = new OleDbConnection(dbConnectionString);
con.Open();

//Create a query and fill the data table with the data from the DB
string sql = "SELECT Whatever FROM MyDBTable;";
OleDbCommand cmd = new OleDbCommand(sql, con);
OleDbDataAdapter adptr = new OleDbDataAdapter();

adptr.SelectCommand = cmd;
adptr.Fill(dt);
con.Close();

//Add the table to the data set
ds.Tables.Add(dt);

//Here's the easy part. Create the Excel worksheet from the data set
ExcelLibrary.DataSetHelper.CreateWorkbook("MyExcelFile.xls", ds);

Creating the Excel file is as easy as that. You can also manually create Excel files, but the above functionality is what really impressed me.

C# – Validate a username and password against Active Directory

If you work on .NET 3.5 or newer, you can use the System.DirectoryServices.AccountManagement namespace and easily verify your credentials:

// create a "principal context" - e.g. your domain (could be machine, too)
using(PrincipalContext pc = new PrincipalContext(ContextType.Domain, "YOURDOMAIN"))
{
    // validate the credentials
    bool isValid = pc.ValidateCredentials("myuser", "mypassword");
}

It's simple, it's reliable, it's 100% C# managed code on your end - what more can you ask for? :-)

Read all about it here:

Update:

As outlined in this other SO question (and its answers), there is an issue with this call possibly returning True for old passwords of a user. Just be aware of this behavior and don't be too surprised if this happens :-) (thanks to @MikeGledhill for pointing this out!)

Best Answer

Related Solutions

C# – How to create an Excel (.XLS and .XLSX) file in C# without installing Microsoft Office

C# – Validate a username and password against Active Directory

Related Topic