-4

when open the login page it just displays user name is incorrect it seems to be bypassing the code. 

SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["regConnectionString"].ConnectionString);
conn.Open();
string checkuser = "select count(*) from users where username='" + usernametxt.Text + "'";
SqlCommand com = new SqlCommand(checkuser, conn);
int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
conn.Close();
if (temp == 1)
{
    conn.Open();
    string checkPasswordQuery = "select password from users where username = '" + usernametxt.Text + "'";
    SqlCommand passComm = new SqlCommand(checkPasswordQuery, conn);
    string password = passComm.ExecuteScalar().ToString().Replace(" ", "");
    if(password == passwordtxt.Text)
    {
        Session["New"]= usernametxt.Text ;
        Response.Write("password is correct");
    }

    else
    {
        Response.Write("password is not correct");
    }
}
else 
{
    Response.Write("username is not correct");
}
J. Steen
  • 15,470
  • 15
  • 56
  • 63
Jade Laird
  • 21
  • 4
  • What is your problem _exactly_? What is the value of `temp` when you debug your code? You should **always** use [parameterized queries](http://blog.codinghorror.com/give-me-parameterized-sql-or-give-me-death/). This kind of string concatenations are open for [SQL Injection](http://en.wikipedia.org/wiki/SQL_injection) attacks. Also use `using` statement to dispose your sql connection and command. And don't store your passwords as a plain text. Read: http://stackoverflow.com/questions/1054022/best-way-to-store-password-in-database – Soner Gönül Apr 13 '15 at 10:41
  • i know its just for a uni project its not going live or anything i was following a tutorial on youtube i think its 0 – Jade Laird Apr 13 '15 at 10:44
  • 1
    You _think_? Why don't you debug your code and see? If it is `0` don't you think it is normal to show `username is not correct` always since `0` is not equal to `1`? – Soner Gönül Apr 13 '15 at 10:46
  • im new to this and dont really understand it that the was the code on the tutorial it dosent set temp to a value. what im trying to do is login ive typed the correct details so should it not say password is correct – Jade Laird Apr 13 '15 at 10:48

1 Answers1

1

As per your code snippet first option i can suggest is look into users table for username you are passing is exist or has multiple entry, as if (temp == 1) is not satisfied.

first debug your code.

BrainCoder
  • 5,197
  • 5
  • 30
  • 33