0

I am trying to check whilist registrating. When an enterd email exists and then try to register it untill the registration is successfull but I don't want that. 

protected void btnRegister_Click(object sender, EventArgs e)
    {
        if (Page.IsValid)
        {

            SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["conn"].ConnectionString);
            con.Open();
            SqlCommand  cmd = new SqlCommand ("Select count(*) from tblUsers where Email = '" + txtEmail.Text + "' ", con);
            SqlDataAdapter da = new SqlDataAdapter(cmd);
            DataSet  ds = new DataSet();
            da.Fill(ds);


            if (ds.Tables[0].Rows.Count > 0)
            {
                p.UserName = txtUsername.Text;
                p.Email = txtEmail.Text;
                p.DOB = Convert.ToDateTime(txtDob.Text);
                p.Password = txtPass.Text;
                p.InsertUser(p);
                Response.Write("Registration Successfull..");
            }
            else {
                Response.Write("This Email is Already Exist...!!");
            }
        }
        else
        {
            Response.Write("Fail...");
        }
    }
Roan
  • 1,200
  • 2
  • 19
  • 32
Love Aajkal
  • 13
  • 7
  • Use a [Parameterized Insert](http://stackoverflow.com/questions/35163361/how-can-i-add-user-supplied-input-to-an-sql-statement) currently you have an SQL Injection vulnerability. Prefer `EXISTS` rather than `COUNT(*)` and use `.ExecuteScalar` to return a single result rather than a dataset. – Alex K. Apr 04 '16 at 10:14
  • Wrong for Sql Injection `SqlCommand cmd = new SqlCommand ("Select count(*) from tblUsers where Email = '" + txtEmail.Text + "' ", con);` You can use CustomValidator to check if mail exists. – Emanuele Apr 04 '16 at 10:20

0 Answers0