Hii friends

I am creating a web application Now there are only two users who will login to the system
the two users are Admin and staff

When Admin logins he is directed to Admin.aspx
and when staff login he is directed to Staff.aspx

I have created a database Table in which I have four fields

ID,UserName,passWord,User_type

for admin it is 1,Admin,Admin,Administrator

and for staff it is 2,Staff,Staff,StaffUser

How can i do this ,,,Uptil now I have created a simple login page the code is as follows...

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;

public partial class Login : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }
    protected void Button1_Click(object sender, EventArgs e)
    {
        SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["RegConnectionstring"].ConnectionString);
        con.Open();
        string cmdStr = "select count(*) from Registration where UserName='"+TextBox1.Text+"'";
        SqlCommand Checkuser = new SqlCommand(cmdStr, con);
        int temp = Convert.ToInt32(Checkuser.ExecuteScalar().ToString());
        if (temp == 1)
        {
            string cmdStr2 = "Select password from Registration where UserName='"+TextBox1.Text+"'";
            SqlCommand pass = new SqlCommand(cmdStr2, con);
            string password = pass.ExecuteScalar().ToString();
           
           
            con.Close();

            
            if (password == TextBox2.Text)
            {
                Session["New"] = TextBox1.Text;
                Response.Redirect("Secure.aspx");

            }
            else
            {
                Label1.Visible = true;
                Label1.Text = "Invalid Password";

            }
        }
            else
            {
                 Label1.Visible = true;
                Label1.Text = "Invalid UserName";

            }
        
           
       
        }
    }

There are a few things in your code, that personally don't like, maybe a few friends in daniweb can help you too, I don't know how important is the security for this particular application but it sounds too me that if you are trying to distinct one user from another, it is indeed important.
1) When you login, you don't say that the login or the password is wrong, you just say the credentials either the password or login are incorrect. so if that is ok then you don't need the first statement when you verify if the user exists.
2) You don't usually retrieve your password from the database instead you send the input password to the database to be verify.
If I were you I will rewrite my code like this, and that's not even good secure either.

SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["RegConnectionstring"].ConnectionString);
string cmdStr = "select User_Type from Registration where UserName='"+TextBox1.Text+"' AND passWord = '"+TextBox2.Text+"'";
SqlCommand cmd = New SqlCommand(cmdStr, con);
con.Open();
Object TypeUser = cmd.ExecuteScalar();
con.Close();
if(TypeUser != null)
{
   Label1.Visible = false;
   Label1.Text = "";
   if(TypeUser.ToString() == "Administrator")
      Response.Redirect("Administrator.aspx");
   else
      Response.Redirect("StaffMember.aspx");
}
else
{
   Label1.Visible = true;
   Label1.Text = "Invalid Credentials Entered, Try again";
}

assuming you just have two types of users.

Edited 5 Years Ago by jbisono: n/a

All right What if I have more than 2 users...also how to implement security in my code????

Use a switch statement to differentiate between your user types.

The code above is secure enough for most cases, however, you may want to think about data encryption such as SHA and MD5.

This article has been dead for over six months. Start a new discussion instead.