when user login it will check if user exist in database or not
what is wrong with this code

 Dim a As New System.Data.DataView
        Dim b As New System.Web.UI.DataSourceSelectArguments
        Dim usname As String
        Dim password As String

        SqlDataSource1.SelectCommand = " select usname , password  from userinfo "

        a = SqlDataSource1.Select(b)

        If  ( usname == textbox1.Text & password == textbox2.Text )

            Response.Redirect("fill.aspx")

        Else

            Label8.Text = "not valid"
        End If

Edited 4 Years Ago by sky.light.7311

The query should be

"SELECT usname, password FROM userinfo "  & 
" WHERE usname = '" & textbox1.Text & "'" &
"   AND [password] = '" & textbox2.Text   & "'"

Your query selects all records. The above selects only the record that contains the username/password pair. If no records were found either because the username, password or both were incorrect then the user shouldn't get access.

A couple of points:

  1. Don't use == in comparisons. That's C syntax.

  2. You should never compose a query this way because of the possibility of SQL injection attacks (look it up).

  3. You should name your controls so their purpose is more obvious. For example, use txtUserName and txtPassword instead of textbox1, etc.

  4. Note that I used [password] instead of just password. In some database implementations, "password" is a reserved word so to prevent errors you must always use the name in square brackets.

it does not check if user name and passord correct or not

i want code to check if user name and password exist in database with correct user name and password

That's what it does. Let's take an example. The user enters "George" for the username and "ncc1701" for the password. The query then becomes (and we don't even need to request specific fields so let's just get them all)

SELECT * FROM userinfo 
 WHERE usname = 'George'
   AND [password] = 'ncc1701'

If it returns a record then it means there is a user named George with that password in the database. This works for any valid combination of username and password. Let's see what happens if the user gets the password wrong.

SELECT * FROM userinfo 
 WHERE usname = 'George'
   AND [password] = 'nxx1701'

Note that I entered an incorrect password. In this case there is no record in the database with the username George and the given password. Perhaps it is clearer if I I explain it this way...

You could fetch the password for the username George and compare it to the password that the user entered but the net effect is the same so why bother with the extra code?

In one case you are coding

If the given username and password are in the database then
    this is a valid username/password
otherwise
    this is not a valid username/password

In the other case you are coding

get the password for the given user from the database
if the password matches the entered password then
    this is a valid username/password
otherwise
    this is not a valid username/password

You might as well do the SELECT * because userinfo probably contains other useful user information that you will be needing anyway.

Another coding tip.

Instead of.

If userName = "sky.light" & password = "qwerty" Then...

Or

If userName = "sky.light" And password = "qwerty" Then...

Use "AndAlso"

If userName = "sky.light" AndAlso password = "qwerty" Then...

Explanation...
If first condition (userName = "sky.light") is true then it will proceed to check the second condition (password = "qwerty") else if condition is false it will not proceed to check the second condition. Therefor, you code is optimized.

As Reverend Jim said, you query is prone to sql injection so we suggest to use stored procedure.

If first condition (userName = "sky.light") is true then it will proceed to check the second condition (password = "qwerty") else if condition is false it will not proceed to check the second condition. Therefor, you code is optimized.

Unless this code is in a loop that is executed several million times in a short period I hardly think that using AndAlso is going to make a measurable difference. AndAlso was introduced to the language to handle cases where the subsequent parts of a compound If might throw an error in some circumstances. For example, if you are parsing lines from a file into two fields and you get a line that results in zero or one field

If Ubound(fields) = 1 And fields(1) = "XXXX" Then

would throw an exception, however

If Ubound(fields) = 1 AndAlso fields(1) = "XXXX"

would not because the second part is only evaluated if the first part is true (used to be known as a McCarthy And).

i have alot of users names and passwords store in database
i can not say that where username like abc and password like 111

i want my code to check in database if certin name and password exist or not

    SqlDataSource1.SelectCommand = " select usname , password  from userinfo wher usname = '" & TextBox1.Text & "'" & "   AND [password] = '" & TextBox2.Text & "'"

    GridView1.DataBind()
    If (GridView1.Rows.Count = 1) Then

        Response.Redirect("fill.aspx")

    Else
        Label2.Text = "Login or Password is incorrect"
    End If
Comments
Yup

It is better to check for a valid username/password combination in one step. If you don't find a matching pair you can tell the user "invalid username/password". You don't want to give information to a hacker that says "this is a valid username but the password is incorrect".

i want my code to check in database if certin name and password exist or not

I've already given you the query you should be using. What is it that you are having problems with?

Try this:

dim cmd as oledb.oledbcommand
dim dr as oledb.oledbdatareader
cmd = new oledb.oledbcommand("SELECT username= '" & txtusername.text & "' and password= '" & txtpasswrd.text & "',con")
if con.state = connection.closed then con.open
dr=cmd.executereader()
if dr.read = true then

// do the stuff here

end if
dr.close
con.close

Edited 4 Years Ago by Icone: mispelled

This article has been dead for over six months. Start a new discussion instead.