-1

I'm new to asp.net and I was trying to make a simple login page that will search the username and password entered in a database. I created the App_Data folder and I have database in it called Database1.mdf. Inside that database there is a table called users.

This is the code behind the login page:

protected void Page_Load(object sender, EventArgs e)
{
    if (IsPostBack)
    {
        string mcn = Request.Form["username"];
        string pass = Request.Form["pass"];
        string query = "SELECT * FROM users WHERE mcn = '" + mcn + "' AND pass = '" + pass + "'";
        string connectionstring = @"Data Source=(LocalDB)\v11.0;AttachDbFilename=App_Data\Database1.mdf;Integrated Security=True";

        SqlConnection con = new SqlConnection(connectionstring);
        SqlDataAdapter ad = new SqlDataAdapter(query, con);
        con.Open();
        SqlCommand com = new SqlCommand(query, con);
        SqlDataReader data = com.ExecuteReader();
        bool found;
        found = (bool)data.Read();
        con.Close();

        if (found)
        {
            Session["user"] = true; 
        }

        Response.Redirect("Main.aspx");
    }
 }

When I run the page and submit the login form which calls this Page_Load I get this error:

An exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll but was not handled in user code

Additional information: An attempt to attach an auto-named database for file App_Data\Database1.mdf failed. A database with the same name exists, or specified file cannot be opened, or it is located on UNC share.

Thanks in advance!

Philip Pittle
  • 11,821
  • 8
  • 59
  • 123
ril2
  • 55
  • 2
  • 6
  • 6
    **This query is open to Sql Injection attacks.** Please parameterize it. Furthermore, you should be disposing of your objects. I see you call `con.Close()` but most of these support disposal. Wrap your `SqlConnection`, `SqlDataAdapter`, `SqlCommand`, and `SqlDataReader` in `using` statements. – Matthew Haugen Jul 13 '14 at 21:27
  • Also, is there a reason you've elected against use of a more stable framework, for instance ASP Identity? And is there a reason you're doing this in the Page_Load when a PostBack is occurring, as compared to on the Button_Click event that is likely bringing you here? This will cause any buttons on the page to attempt a login, which will likely confuse everyone. – Matthew Haugen Jul 13 '14 at 21:29
  • 4
    I think you could fix your connection string with `AttachDbFilename=|DataDirectory|\Module.mdf`, however everything that @MatthewHaugen said is absolutely true and need to be fixed ASAP (And revert the condition to `!IsPostBack`) – Steve Jul 13 '14 at 21:46
  • @Steve Thanks for your comment. I changed the attachdbfilename to |DataDirectory|\database1.mdf but now I get this error: **An exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll but was not handled in user code Additional information: Incorrect syntax near the keyword 'Table'.** – ril2 Jul 13 '14 at 22:16
  • 2
    What is `users` in your SELECT statement? You said you had a table called `Table`. Is `users` a Stored Procedure? If so, that might be where your incorrect syntax is. – Philip Pittle Jul 13 '14 at 22:43
  • @ppittle I also have a table called users, sorry :) – ril2 Jul 14 '14 at 09:28

1 Answers1

0

Well I finally fixed it just by moving everything to a different class. This made everything very organized and I think that as a beginner it was hard to look at it and find what was probably a syntax error.

Thanks for the comments!

ril2
  • 55
  • 2
  • 6