tags:

views:

27

answers:

3

i try to do a login using asp.net 3.5 and sql server 2005 i create a dataset and do this code but something is missing in the code here the code

Protected Sub btnlogin_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnlogin.Click

    Dim LoginTable As New ClassSet.UsersDataTable
    Dim LoginAdapter As New ClassSetTableAdapters.UsersTableAdapter

    LoginAdapter.FillBylogin(LoginTable, txtuser.Text, txtpass.Text)

    Dim dr As DataRow() = LoginTable.Select("Name= ' " & txtuser.Text & " 'Password= ' " & txtpass.Text & " '")

    If dr.Length > 0 Then
        Response.Redirect("MyClassifieds.aspx")
    Else
        Label1.Text = "Invalid UserName or Password"
    End If

End Sub

it say that there is something missed after the password=' " & txtpass.Text in line 5 but i cant get what missed can any one help please

+2  A: 

You are missing the "AND" statement between Name and Password

Dim dr As DataRow() = LoginTable.Select("Name= '" & txtuser.Text & "' AND Password= '" & txtpass.Text & "'")
Nick Berardi
+2  A: 

You're missing an AND

Dim dr As DataRow() = LoginTable.Select("Name= '" & txtuser.Text & "' AND Password= '" & txtpass.Text & "'")

And I doubt you want spaces in there either.

But you also have a problem here, SQL Injection. You seriously do not want to build up dynamic SQL like this, you MUST parameterise all your queries.

blowdart
This is a select running on a local data table - therefore SQL injection is unlikely to do anything.
ck
SQL Injection isn't just inserts, you could easily get that query to return true all the time, allowing you to login as any user.
blowdart
A: 

Why are you running a select to verify the username and password in the login table when its just been filled using the username and password through the data adaptor? Surely you can just check its length then. Also, if there is any security in your login system the password won't be stored in plain text so the adaptors fill method should do some kind of one way hashing to find the correct password to return the the data table.

ck