redirection of pages

Question

how i can redirect from my login page to home page after the login is success? I have one database in this it stores the username and password. at the time of login it wil check the user name and password by sql query. my code is shown below.

protected void Button1_Click(object sender, EventArgs e)
    {
        if (TextBox1.Text == "")
        {
            Label3.Visible = true;
            Label3.Text = "* Required Field";
        }
        else if (TextBox2.Text == "")
        {
            Label4.Visible = true;
            Label4.Text = "* Required Field";
        }

        else
        {
            Label3.Visible = false;
            Label4.Visible = false;
            userid = TextBox1.Text;
            pass = TextBox2.Text;

            SqlConnection conn = new SqlConnection("SERVER= BAYONE003\\OFFICESERVERS; Initial catalog = Web; Integrated Security = SSPI");
            SqlCommand mycmd = new SqlCommand();
            mycmd.Connection = conn;
            mycmd.CommandText = "SELECT FirstName, LastName, MiddleName, Email, Age FROM web WHERE IsActive=1 AND LoginName='" + userid + "' " + "AND Password='" + pass + "'"; 

            try
            {

                conn.Open();
                mycmd.ExecuteScalar();
                SqlDataAdapter da = new SqlDataAdapter(mycmd);
                DataTable dt = new DataTable();
                da.Fill(dt);
                GridView1.Visible=true;
                GridView1.DataSource = dt;
                GridView1.DataBind();
                TextBox1.Text = "";
                TextBox2.Text="";


            }

            finally
            {
                conn.Close();
                conn.Dispose();
            }
        }
    }

My requirement is that if the login successful i hav to redirect from login page to the home page instead of gridview binding. how it eill be done?

Answer 1

First of all, look at using stored procs! That SQL command is leaving you wide open to problems with SQL injection (guard against SQL injection)

 mycmd.CommandText = "SELECT FirstName, LastName, MiddleName, Email, Age FROM web WHERE IsActive=1 AND LoginName='" + userid + "' " + "AND Password='" + pass + "'"; 

If I entered

  ' = '' or '1'='1

as my password it would let me in with whatever username I wanted!

Secondly, you can just do a Response.Redirect("/relative/path/to/home.page",false); to redirect you to the home page.

I'd look at refactoring that code so you have a few methods:

protected bool Login(string username, string password)  //handles logging the user in
protected void LoginSuccess() //handles the redirect if the user successfully logs in.
protected void BindDatagrid() //handles the databind if the user didn't log in.

Answer 2

In addition to Mauro's answer here are a few other changes you might want to think about:

1. Renaming your Web Controls to names that make more sense, txtPassword for example.
2. Store the connection string in the Web.config file, so you can have a more flexible transition from test to production.
3. Use a using statement around the connection instead of the try finally.
4. The SqlDataAdapter will handle closing and opening the connection.
5. You can use parameters instead of the SP, if you're using SQL Server 2005 or above (the SP won't have much of a performance improvement over inline SQL).

Answer 3

Your gridview is pointless, as if the login is unsuccessful, it will contain nothing, and if the login is successful, you will move on to another page.