login based on role doesn't authenticate admin

Question

So I am trying to redirect each user based on their role I have user and admin both login from the same page, but in my case it only authenticates the user but not the admin. it displays my "you have entered invalid username or password" message. Any thoughts. Thanks

here is my code

protected void Button1_Click(object sender, EventArgs e)
{
    con.Open();
    SqlCommand cmd = con.CreateCommand();
    cmd.CommandType = CommandType.Text;
    cmd.CommandText = "select * from registration where email='"+ TextBox1.Text+"' and password='"+TextBox2.Text+"'";
    cmd.ExecuteNonQuery();
    DataTable dt = new DataTable();
    SqlDataAdapter da = new SqlDataAdapter(cmd);
    da.Fill(dt);
    tot = Convert.ToInt32(dt.Rows.Count.ToString());

    if (tot > 0)
    {
        if (Session["checkoutbutton"] == "yes")
        {
            Session["user"] = TextBox1.Text;
            Response.Redirect("update_order_details.aspx");
        }
        else
        {
            Session["user"] = TextBox1.Text;
            Response.Redirect("order_details.aspx");
        }

    }
    else
    {
        Label1.Text = "Invalid email or password";
    }
    con.Close();

    con.Open();
    SqlCommand cmd1 = con.CreateCommand();
    cmd1.CommandType = CommandType.Text;
    cmd1.CommandText = "select * from admin_login where username='" + TextBox1.Text + "' and password='" + TextBox2.Text + "' ";
    cmd1.ExecuteNonQuery();
    DataTable dt1 = new DataTable();
    SqlDataAdapter da1 = new SqlDataAdapter(cmd);
    da1.Fill(dt);
    i = Convert.ToInt32(dt.Rows.Count.ToString());
    if (i == 1)
    {
        Session["admin"] = TextBox1.Text;
        Response.Redirect("add_product.aspx");
    }
    else
    {
        Label1.Text = "you have entered invalid username or password";
    }
    con.Close();
}

`ExecuteNonQuery` is the wrong method to use here. What made you choose that one? You should probably use `ExecuteScalar`, with a SQL statement starting with `select count(*) ` rather than `select *`. https://stackoverflow.com/questions/4269548/executenonquery-for-select-sql-statement-returning-no-rows — Nick.Mc, Sep 26 '17 at 11:02

score 1 · Answer 1 · answered Sep 26 '17 at 10:58

1

if (i == 1)
    {
        Session["admin"] = TextBox1.Text;
        Response.Redirect("add_product.aspx");
    }
    else
    {
        Label1.Text = "you have entered invalid username or password";
    }

Did you check if there are more then 1 or 0 rows?

answered Sep 26 '17 at 10:58

TheSkimek

334
1
7

basically admin has his own table which has his name and password only and there is only one admin so one row yes. Users on the other hand are on a different table – Ozeus Sep 26 '17 at 11:01

Karthick Raju · Accepted Answer · 2017-09-26T11:17:15.370

0

You are wrongly passing the cmd object for admin, it should be cmd1. also the datatable should be dt1 not dt for admin

int i;
con.Open();
SqlCommand cmd1 = con.CreateCommand();
cmd1.CommandType = CommandType.Text;
cmd1.CommandText = "select count(*) from admin_login where username='" + TextBox1.Text + "' and password='" + TextBox2.Text + "' ";
i = cmd1.ExecuteScalar();
if (i == 1)
{
    Session["admin"] = TextBox1.Text;
    Response.Redirect("add_product.aspx");
}
else
{
    Label1.Text = "you have entered invalid username or password";
}
con.Close();

edited Sep 26 '17 at 11:17

answered Sep 26 '17 at 11:05

Karthick Raju

757
8
29

1

Can you even load a datatable out of executenonquery? – Nick.Mc Sep 26 '17 at 11:08
Thank you, I did not notice that. Updated the answer now. – Karthick Raju Sep 26 '17 at 11:19

login based on role doesn't authenticate admin

2 Answers2