Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Problem with login code

Reply
Thread Tools

Problem with login code

 
 
=?Utf-8?B?SnVzdGlu?=
Guest
Posts: n/a
 
      09-14-2004
I am tring to create a very simple login page that asks for an email address
and password and compares the password entered to the password in the
accounts table to authenticate the user. I get the following error when
trying use executereader():

System.Data.SqlClient.SqlException: The column prefix 'asmussen@cableone'
does not match with a table name or alias name used in the query.

string mySelectQuery = "SELECT AccountID, Email, Password FROM Accounts
WHERE Email = " + Email.Text;

System.Data.SqlClient.SqlCommand myCommand = new
System.Data.SqlClient.SqlCommand(mySelectQuery, sqlConnection1);

sqlConnection1.Open();
myReader = myCommand.ExecuteReader();

if (Password.Text == myReader["Password"])
{
Session["Login"] = myReader["Email"];
Session["AccountID"] = myReader["AccountID"];
}
else
{
lblStatus.Text = "Login Failed";
}

myReader.Close();
sqlConnection1.Close();

Any ideas?
Thanks, Justin.
 
Reply With Quote
 
 
 
 
Steve C. Orr [MVP, MCSD]
Guest
Posts: n/a
 
      09-14-2004
Quotes need to go around the string parameter in your query.
So your first line needs to look like this:
string mySelectQuery = "SELECT AccountID, Email, Password FROM Accounts
WHERE Email = '" + Email.Text +"'";

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net




"Justin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I am tring to create a very simple login page that asks for an email
>address
> and password and compares the password entered to the password in the
> accounts table to authenticate the user. I get the following error when
> trying use executereader():
>
> System.Data.SqlClient.SqlException: The column prefix 'asmussen@cableone'
> does not match with a table name or alias name used in the query.
>
> string mySelectQuery = "SELECT AccountID, Email, Password FROM Accounts
> WHERE Email = " + Email.Text;
>
> System.Data.SqlClient.SqlCommand myCommand = new
> System.Data.SqlClient.SqlCommand(mySelectQuery, sqlConnection1);
>
> sqlConnection1.Open();
> myReader = myCommand.ExecuteReader();
>
> if (Password.Text == myReader["Password"])
> {
> Session["Login"] = myReader["Email"];
> Session["AccountID"] = myReader["AccountID"];
> }
> else
> {
> lblStatus.Text = "Login Failed";
> }
>
> myReader.Close();
> sqlConnection1.Close();
>
> Any ideas?
> Thanks, Justin.



 
Reply With Quote
 
 
 
 
Mark Fitzpatrick
Guest
Posts: n/a
 
      09-14-2004
Justin,
You may want to look into adding parameters to your query (check out
the SqlParameter object). When you create a string on the fly for a query
and pass it to a command object it's probably suject to a SQL Injection
Attack, which means a moderately skilled hacker could get all the user
accounts by adding some carefully crafted SQL statements into your Email
textbox and have them displayed for him right from your system.

Hope this helps,
Mark Fitzpatrick
Microsoft MVP - FrontPage

"Justin" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I am tring to create a very simple login page that asks for an email
>address
> and password and compares the password entered to the password in the
> accounts table to authenticate the user. I get the following error when
> trying use executereader():
>
> System.Data.SqlClient.SqlException: The column prefix 'asmussen@cableone'
> does not match with a table name or alias name used in the query.
>
> string mySelectQuery = "SELECT AccountID, Email, Password FROM Accounts
> WHERE Email = " + Email.Text;
>
> System.Data.SqlClient.SqlCommand myCommand = new
> System.Data.SqlClient.SqlCommand(mySelectQuery, sqlConnection1);
>
> sqlConnection1.Open();
> myReader = myCommand.ExecuteReader();
>
> if (Password.Text == myReader["Password"])
> {
> Session["Login"] = myReader["Email"];
> Session["AccountID"] = myReader["AccountID"];
> }
> else
> {
> lblStatus.Text = "Login Failed";
> }
>
> myReader.Close();
> sqlConnection1.Close();
>
> Any ideas?
> Thanks, Justin.



 
Reply With Quote
 
=?Utf-8?B?SnVzdGlu?=
Guest
Posts: n/a
 
      09-15-2004
Thanks for the help guys. I put quotes around the variable but the results
remian the same. Why is the last part of the email get chopped off (should be
http://www.velocityreviews.com/forums/(E-Mail Removed) not asmussen@cableone)?

I haven't tried using parameter yet, can you point to more info. or a
tutorial on using select parameters?

Thanks, Justin.

"Justin" wrote:

> I am tring to create a very simple login page that asks for an email address
> and password and compares the password entered to the password in the
> accounts table to authenticate the user. I get the following error when
> trying use executereader():
>
> System.Data.SqlClient.SqlException: The column prefix 'asmussen@cableone'
> does not match with a table name or alias name used in the query.
>
> string mySelectQuery = "SELECT AccountID, Email, Password FROM Accounts
> WHERE Email = " + Email.Text;
>
> System.Data.SqlClient.SqlCommand myCommand = new
> System.Data.SqlClient.SqlCommand(mySelectQuery, sqlConnection1);
>
> sqlConnection1.Open();
> myReader = myCommand.ExecuteReader();
>
> if (Password.Text == myReader["Password"])
> {
> Session["Login"] = myReader["Email"];
> Session["AccountID"] = myReader["AccountID"];
> }
> else
> {
> lblStatus.Text = "Login Failed";
> }
>
> myReader.Close();
> sqlConnection1.Close();
>
> Any ideas?
> Thanks, Justin.

 
Reply With Quote
 
James Thomas
Guest
Posts: n/a
 
      09-15-2004
Try this:

In SQL:

CREATE PROC getLoginInfo
@Email nvarchar(50)
AS
SELECT
AccountID,
Email,
Password
FROM
Accounts
WHERE
Email = @Email

---
In code:
SqlCommand cmd = new SqlCommand();

cmd.CommandText = "getLoginInfo";
cmd.CommandType = CommandType.StoredProcedure;
cmd.Connection = new SqlConnection(<connection string>);

cmd.Parameters.Add("@Email", SqlDbType.NVarChar);
cmd.Parameters["@Email"].Value = Email.Text

There's an easier way to do this, but it requires special casting when
an integer parameter is 0 that I would just assume not do.

However, it is done like this:
cmd.Parameters.Add("@Email", Email.Text);

Then read from your data reader as normal.

That may not compile but it will get you started anyway.

James

Justin wrote:

> I haven't tried using parameter yet, can you point to more info. or a
> tutorial on using select parameters?

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
News login different from mail login William W. Plummer Firefox 21 04-08-2005 05:37 AM
Strange problem with Forms authentication: After successfull login, login page is still displayed Pascal Blanchard ASP .Net Security 1 08-18-2004 08:36 AM
Strange problem with Forms authentication: After successfull login, login page is still displayed Pascal Blanchard ASP .Net Security 0 08-17-2004 06:26 PM
Forms Login Page Not Login Out Hermit Dave ASP .Net 5 01-13-2004 07:14 AM
Re: PLEASE? Any way to get the user's nt login from the pc -- not the server login? William F. Robertson, Jr. ASP .Net 0 07-02-2003 03:57 PM



Advertisments