tags:

views:

129

answers:

3
Q: 

i need a session variable to change from page to page as i move from one page to another vb.net

i am new to this. i have 4 pages. login.aspx, account.aspx, settings.aspx and fliers.aspx. its all programmed in vb.net with sql server backend. on my firstr page, login.aspx i have this code in the .vb page -

Dim SQL As String = "SELECT * FROM table1 WHERE email='" + Me.txtUserName.Text + "' AND password='" + Me.txtPassword.Text + "' "
ExecuteNonQuery(SQL)
SqlCmd = New SqlCommand(SQL, SqlCnn)
SqlDR = SqlCmd.ExecuteReader
If SqlDR.HasRows Then
    Do While SqlDR.Read()
        Label1.Text = "successfully logged in"
        Dim webUser As New webUser(SqlDR("email"), Session.Item("sqlcnn"))
        Session.Item("webUser") = webUser
        isValidUser = True
    Loop
Else
    Label1.Text = "Failed to login"
End If

as u can see it takes session.item("webuser") as email. this is fine on this page. on the next page that is account.aspx, it needs to replace email with the ID of the user who las logged in and in the settings.aspx page, it needs to replace the id of user with the profile id of that user. All these tables r in backend and have data, but the problem is my lack of knowledge. How do i make the session have different variables in it.

+1  A: 

Yikes. You have tremendous security issues with your code:

SQL Injection Attacks http://msdn.microsoft.com/en-us/library/ms998271.aspx

Also, you should use the Membership provider and Forms-based authentication: http://support.microsoft.com/kb/301240

Lastly, to set a session value simply say Session( "Value Name" ) = value

Nissan Fan  2010-02-02 20:06:47
+100 if I could.
Joel Etherton  2010-02-02 20:08:08
A: 

reiut consider getting rid of inline sql and using exec. Look into stored procedures and passing parameters using the command object. Passwords should also not be stored as plain text.

As for sessions they are simply just variables that can be changed in say the page_load event.

For instance,

Session("FirstName") = "Jon"

The session, FirstName, has the value Jon. It can easily be changed in another aspx page simply by resetting it:

In another page:

Session("FirstName") = "Dawn"

Try it out.

 2010-02-02 20:09:09
A: 

The best way is actually to create a class object (after you've read the links from @Nissan Fan and started using some kind of secured authentication) and store the serialized class object into the session. Your class object should inherit the System.Security.Principal.GenericIdentity class or at the very least implement IIdentity. Then you could just grab it out of session, cast it, and access the properties of your object directly (username/email/whatever).

Joel Etherton  2010-02-02 20:10:39

related questions

What are the most important functional differences between C# and VB.NET?
Setting Group Type for new Active Directory Entry in VB.NET
ASP.Net Datagrid: in Footer calculate Avg or Sum for column
Opening a file in my application from File Explorer
HTML Email Editor in a Windows Forms Application
Datatables, Dataviews and distincts! (ASP.Net/VB)
Naming convention for VB.NET private fields
Visual Studio - new "default" property values for inherited controls
Change the width of a scrollbar
Is String.Format as efficient as StringBuilder
Default Form Button in FireFox
VB.NET - IsNothing versus Is Nothing
'Break' equivalent keyword for VB
What is the best way to wrap time around the work day?
Best SVN Client Ignore Pattern for VB.NET Solutions?
Long-time LAMP Developer moving to VB.NET
What's the best way to find long-running code in a Windows Forms Application
What is the best way to deploy a VB.NET application?
'Best' Diff Algorithm
Setting Objects to Null/Nothing after use in .NET
CSV File Imports in .Net
How do you migrate a large app from VB6 to VB .net ?
Floating Point Number parsing: Is there a Catch All algorithm?
Decoding T-SQL CAST in C#/VB.net
Reliable Timer in a Console Application