Losec Losec - 3 months ago 18
ASP.NET (C#) Question

asp.net website SQL connection

i'm having problems getting my ASP.NET site to log me in using SQL, here is some code (Login.ASPX.CS);

private bool ValidateCredentials(string userName, string password)
{
bool returnValue = false;

if (this.IsAlphaNumeric(userName) && userName.Length <= 50 && password.Length <= 50)
{
SqlConnection conn = null;

try
{
string sql = "select count(*) from dbo.Users where UserName = '@username' and password = '@password'";

conn = new SqlConnection(ConfigurationManager.ConnectionStrings["MembershipSiteConStr"].ConnectionString);
SqlCommand cmd = new SqlCommand(sql, conn);

SqlParameter user = new SqlParameter();
user.ParameterName = "@username";
user.Value = userName.Trim();
cmd.Parameters.Add(user);

SqlParameter pass = new SqlParameter();
pass.ParameterName = "@password";
pass.Value = Hasher.HashString(password.Trim());
cmd.Parameters.Add(pass);

conn.Open();

int count = (int)cmd.ExecuteScalar();

if (count > 0) returnValue = true;
}


Here is my web.config connectionstring

<connectionStrings>
<add name="MembershipSiteConStr" connectionString="Data Source=dev-pc\;Initial Catalog=MembershipSite;User ID=test;Password=test" />




i've tested this SQL connection using server explorer and SQL managment and it all works.

here are some SP of what's going on;

enter image description here

here is evidence that the user and pass im putting in should work;
The user is there:

enter image description here

that the SQL query works:

enter image description here

Answer

Change code of Adding Password Parameter as follow

 SqlParameter pass = new SqlParameter();
 pass.ParameterName = "@password";
 //pass.Value = Hasher.HashString(password.Trim());
 pass.Value = password.Trim(); 
 cmd.Parameters.Add(pass);