laurajs laurajs - 5 months ago 14
Vb.net Question

show user's details from table on aspx when logged in

I posted a similar question previously but quickly deleted it as the question had a number of errors and was not clear for readers.

I am creating a log in for a patient and when logged in (from the log in page login.aspx) I want them to be redirected to a page (in this case user.aspx) when the log in is authenticated and show their details from a table.

So far I can just get a label to provide user logged in correct or user log in incorrect.

I have a patient table as follows - this is all dummy data and made up user/accounts:

patient table

This is the code behind file, have I set a session correctly? and how when the user is authenticated can they be redirected to user.aspx with their corresponding details from a table (for instance their user details)

Imports System.Data.SqlClient
Imports System.Data

Partial Class Pages_Login
Inherits System.Web.UI.Page

Protected Sub btnlogin_Click(sender As Object, e As EventArgs) Handles btnlogin.Click
Dim patientNo As String
Dim password As String
Dim bAuthethicated As Boolean
patientNo = txtuser.Text
password = txtpassword.Text
bAuthethicated = CheckUser(patientNo, password)

If bAuthethicated Then
lblresult.Text() = "correct"
Else
lblresult.Text() = "Incorrect Student Number and/or Password"
End If
End Sub

Public Function CheckUser(patientNo As String, password As String) As Integer
Dim cmdstring As String = "SELECT * FROM Patient Where Username=@PATIENTNO AND Password=@PASSWORD"
Dim found = 0
Using conn As New SqlConnection("Data Source=(LocalDB)\v11.0;AttachDbFilename=C:\Users\Laura\Final_proj\App_Data\surgerydb.mdf;Integrated Security=True;Connect Timeout=30")
Dim cmd = New SqlCommand(cmdstring, conn)
cmd.Parameters.Add("@PATIENTNO", SqlDbType.NChar).Value = patientNo
cmd.Parameters.Add("@PASSWORD", SqlDbType.NChar).Value = password
conn.Open()

Dim reader = cmd.ExecuteReader()
While reader.Read()
Session("PatientId") = CInt(reader.Item("PatientId"))
found = CInt(reader.Item("PatientId"))
End While

reader.Close()
End Using
Return (found)
End Function
End Class


I hope someone can help. If I can provide any more information or direction on the question please let me know.

Aki Aki
Answer

Rather than showing the user that they have successfully logged in, just add the following line of code to redirect them to the user.aspx page:

Response.Redirect("user.aspx", True)

On the user page, you need to check if the Session("PatientId") is empty, if so, then redirect back the login page. If it does have a value, ensure it is a number and then use it to load up the patient details with another DB call.

Also another tip, I noticed your passwords are in plain text. I would highly recommend that you one-way hash them using a simple function for additional security. You can then use the same function to hash the password used on the login page to compare against the database value.

Comments