0

I was doing my asp.net c# project for my academic submission. And I'm trying to build a Approval for Registrations in the site. For this i have created a new column in database with bit type ( column approval).

And i was trying to check when a user sign in, a IF statement is used to check whether the " approval column is true or false, if true then execute the login instructions. Else pop up message stating " admin approval pending"

here is my code

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Web.Security;

public partial class dlgn : System.Web.UI.Page
{
DbConnect db = new DbConnect();
protected void Page_Load(object sender, EventArgs e)
{

}

protected void Button1_Click(object sender, EventArgs e)
{
        db.con.Open();
        db.cmd = new SqlCommand("select approval,email,type from docreg where email='" + username.Text + "'and password='" + password.Text + "'", db.con);
        SqlDataReader reader = null;
        reader = db.cmd.ExecuteReader();

    if (reader.HasRows)
    {
        bool approval;
        approval = reader.GetBoolean(0);
        if (approval == true)
        {
            reader.Read();
            Response.Write("<script>alert('Login successful')</script>");
            Session["sid"] = username.Text.ToString();
            Session["email"] = reader.GetString(0).ToString();
            Session["type"] = reader.GetString(0).ToString();
            Session["name"] = reader.GetString(0).ToString();
            FormsAuthenticationTicket ticket = default(FormsAuthenticationTicket);
            string cookie = null;
            HttpCookie httpCookie = default(HttpCookie);

            ticket = new FormsAuthenticationTicket(1, username.Text, DateTime.Now, DateTime.Now.AddMinutes(100), true, HiddenCustomerID.Value, "MyPage");


            cookie = FormsAuthentication.Encrypt(ticket);


            httpCookie = new HttpCookie(FormsAuthentication.FormsCookieName, cookie);



            httpCookie.Path = FormsAuthentication.FormsCookiePath;


            Response.Cookies.Add(httpCookie);

            Response.Redirect("dochme.aspx");
        }

        else
        {

            Response.Write("<script>alert('Your Profile Not Yet Approved by Admin, kindly Check back later ')</script>");
        }


    }
    else
    {
        Response.Write("<script>alert('Invalid username or password')</script>");

    }


}
}
Stanly Stephen
  • 39
  • 2
  • 9
  • 1
    so what's your question? – Ehsan Sajjad May 10 '16 at 18:26
  • my question is that, when i use the above if condition, the code execution is being stopped at approval = reader.GetBoolean(0); and returns false... Can yuu check my code, that the correct conditions is used – Stanly Stephen May 10 '16 at 18:36
  • As a side note, please refrain from writing `if (myBoolean == true)`. You can just simply write `if (myBoolean)`. It means the same thing and is shorter/cleaner. – Lews Therin May 10 '16 at 18:48
  • your code is vulnerable to [SQL Injection](http://www.bobby-tables.com)! Please use parameterized queries instead of inserting user input directly into your query. – René Vogt May 10 '16 at 20:16
  • and your problem is: you need to call `GetBoolean` _after_ `Read()`! `Read` fetches the next (in your case the first) row of the result. you cannot access the values before you fetched them. – René Vogt May 10 '16 at 20:20

2 Answers2

2

You need to call reader.Read() before approval = reader.GetBoolean(0);. Until you call Read() it doesn't advance to the first row. Read() returns a boolean, so you can check if(reader.Read()).

But since you're only looking to read one row, this will do it:

if (reader.HasRows)
{
    bool approval;
    reader.Read(); //Advance to the first row returned
    approval = reader.GetBoolean(0);
    if (approval == true)
    {
       //etc

or this - it's functionally the same:

if (reader.Read()) //If there is a first row, advances to that first row
{
    bool approval;
    approval = reader.GetBoolean(0);
    if (approval == true)
    {
       //etc
Scott Hannen
  • 27,588
  • 3
  • 45
  • 62
0

Your SQL statement is invalid. It needs to have a space after the email and the and statement:

... username.Text + "'and ...

Should be

... username.Text + "' and ...

However DO NOT use your code in production code. You are leaving yourself open to SQL injection hacks. It also looks like you are storing plain text passwords. You need to protect your users.

ManOVision
  • 1,853
  • 1
  • 12
  • 14