Need Help in ASP.Net C# login page

Question

What is wrong with this code? I have tried a lot of methods. But it always show login failed. No Build Errors though. I have a database named honeypot and a table called register in it,with username row and password row as varchars. I'm using built in login control. Can anyone help? I'm using Visual studio 2013.

home.aspx.cs

enter code here
using System;
using System.Collections;
using System.Configuration;
using System.Data;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
using System.Data.SqlClient;

namespace CodeInjection4
{
public partial class Home : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        if (!Page.IsPostBack)
        {
        }
    }

    private static int count = 0;

    protected void log1_Authenticate(object sender, AuthenticateEventArgs e)
    {
        if (log1.UserName == "Admin" && log1.Password == "Admin")
        {
            Response.Redirect("Adminhome.aspx");
        }
        else if (YourValidationFunction(log1.UserName, log1.Password))
        {
            Session["User"] = log1.UserName;
            e.Authenticated = true;
            Response.Redirect("userhome.aspx");
            log1.TitleText = "Successfully Logged In";
        }
        else
        {
            e.Authenticated = false;
            count++;
            if (count >= 3)
            {
                count = 0;
                Session["User"] = log1.UserName;
                Server.Transfer("MainPage.aspx");
            }
        }
    }

    private SqlConnection strConnection = new
        SqlConnection("server=.\\SQLEXPRESS;database=honeypot;integrated security=true;");

    private bool YourValidationFunction(string UserName, string Password)
    {
        bool boolReturnValue = false;
        String SQLQuery = "SELECT UserName, Password FROM Register";
        SqlCommand command = new SqlCommand(SQLQuery, strConnection);
        SqlDataReader Dr;
        try
        {
            strConnection.Open();
            Dr = command.ExecuteReader();
            while (Dr.Read())
            {
                if ((UserName == Dr["UserName"].ToString()) & (Password == Dr["Password"].ToString()))
                {
                    boolReturnValue = true;
                }
            }
            Dr.Close();
        }
        catch
        {
        }
        return boolReturnValue;
    }

    protected void lnkRegis_Click(object sender, EventArgs e)
    {
        Response.Redirect("AdUserAcc.aspx");
    }
}
}

Home.aspx

enter code here

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Home.aspx.cs" Inherits="CodeInjection4.Home" %>

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
<script runat="server">
</script>
<style type="text/css">
    #form1 {
        text-align: center;
    }
    .auto-style1 {
        width: 981px;
        text-align: left;
    }
    .auto-style2 {
        width: 961px;
    }
    </style>
</head>
<body>
<form id="form1" runat="server">
<div>

    Forestalling Code Injection</div>
    <asp:Login ID="log1" OnAuthenticate="log1_Authenticate" runat="server" Width="1062px">
        <LayoutTemplate>
            <table cellpadding="1" cellspacing="0" style="border-collapse:collapse;">
                <tr>
                    <td>
                        <table cellpadding="0">
                            <tr>
                                <td align="center" colspan="2">Log In</td>
                            </tr>
                            <tr>
                                <td align="right" class="auto-style2">
                                    <asp:Label ID="UserNameLabel" runat="server" AssociatedControlID="UserName">User Name:</asp:Label>
                                </td>
                                <td class="auto-style1">
                                    <asp:TextBox ID="UserName" runat="server"></asp:TextBox>
                                    <asp:RequiredFieldValidator ID="UserNameRequired" runat="server" ControlToValidate="UserName" ErrorMessage="User Name is required." ToolTip="User Name is required." ValidationGroup="log1">*</asp:RequiredFieldValidator>
                                </td>
                            </tr>
                            <tr>
                                <td align="right" class="auto-style2">
                                    <asp:Label ID="PasswordLabel" runat="server" AssociatedControlID="Password">Password:</asp:Label>
                                </td>
                                <td class="auto-style1">
                                    <asp:TextBox ID="Password" runat="server" TextMode="Password"></asp:TextBox>
                                    <asp:RequiredFieldValidator ID="PasswordRequired" runat="server" ControlToValidate="Password" ErrorMessage="Password is required." ToolTip="Password is required." ValidationGroup="log1">*</asp:RequiredFieldValidator>
                                </td>
                            </tr>
                            <tr>
                                <td colspan="2">
                                    <asp:CheckBox ID="RememberMe" runat="server" Text="Remember me next time." />
                                </td>
                            </tr>
                            <tr>
                                <td align="center" colspan="2" style="color:Red;">
                                    <asp:Literal ID="FailureText" runat="server" EnableViewState="False"></asp:Literal>
                                </td>
                            </tr>
                            <tr>
                                <td align="right" colspan="2" style="text-align: center">
                                    <asp:Button ID="LoginButton" runat="server" CommandName="Login" Text="Log In" ValidationGroup="log1" />
                                </td>
                            </tr>
                        </table>
                    </td>
                </tr>
            </table>
        </LayoutTemplate>
    </asp:Login>
    <br />
    <asp:Button ID="Button1" runat="server" Text="Register" PostBackUrl="~/AdUserAcc.aspx" />
</form>
</body>
</html>

Answer 1

You are selecting all the users and looping through them. You have break out of the loop if you find a matching username and password such as

if ((UserName == Dr["UserName"].ToString()) & (Password == Dr["Password"].ToString()))
{
    boolReturnValue = true;
    break;
}

Othwerwise the next user will set it back to false.

A couple of notes:

1. Selecting all users and iterating through them is not scalable and wouldn't perform well. Instead you can pass in the username and password in WHERE clause. If you get a match then the login info is correct.

2. I'd recommend using logical-AND operator (&&) instead of bitwise-AND (&). Here's a SO thread with related discussion: Usage & versus &&

3. Consider using salted password hashes as opposed to plaintext passwords.