Re: Problem with login code

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Mark Fitzpatrick (markfitz_at_fitzme.com)
Date: 09/14/04 

Date: Tue, 14 Sep 2004 00:48:37 -0500

Justin,
        You may want to look into adding parameters to your query (check out
the SqlParameter object). When you create a string on the fly for a query
and pass it to a command object it's probably suject to a SQL Injection
Attack, which means a moderately skilled hacker could get all the user
accounts by adding some carefully crafted SQL statements into your Email
textbox and have them displayed for him right from your system.

        Hope this helps,
        Mark Fitzpatrick
        Microsoft MVP - FrontPage

"Justin" <Justin@discussions.microsoft.com> wrote in message
news:5A06EBB3-93DC-442C-AF68-8F726E586EEB@microsoft.com...
>I am tring to create a very simple login page that asks for an email
>address
> and password and compares the password entered to the password in the
> accounts table to authenticate the user. I get the following error when
> trying use executereader():
>
> System.Data.SqlClient.SqlException: The column prefix 'asmussen@cableone'
> does not match with a table name or alias name used in the query.
>
> string mySelectQuery = "SELECT AccountID, Email, Password FROM Accounts
> WHERE Email = " + Email.Text;
>
> System.Data.SqlClient.SqlCommand myCommand = new
> System.Data.SqlClient.SqlCommand(mySelectQuery, sqlConnection1);
>
> sqlConnection1.Open();
> myReader = myCommand.ExecuteReader();
>
> if (Password.Text == myReader["Password"])
> {
> Session["Login"] = myReader["Email"];
> Session["AccountID"] = myReader["AccountID"];
> }
> else
> {
> lblStatus.Text = "Login Failed";
> }
>
> myReader.Close();
> sqlConnection1.Close();
>
> Any ideas?
> Thanks, Justin.

Relevant Pages

  • RE: Expire accounts from Active Directory after a period of inactivity
    ... your user groups for all accounts that have been inactive for 30 or more ... It does seem better though to store the output to a SQL database. ... Query it once a month or once a week ... box giving hackers complete access to all your backend systems! ...
    (Focus-Microsoft)
  • Run-time error -2147217865(80040e37):
    ... But if i copy the same query and run into the database it works fine ... 'Adjust day to query accounts that have not had a payment since ... 'Specify balance range of accounts to return ... SQL = StringToSQL ...
    (microsoft.public.vb.general.discussion)
  • Re: Simple Sum Calculation but I cant work it out......
    ... This is the SQL query I have: ... GROUP BY Test.[Customer Accounts]; ... >I do it using straight SQL... ... CalculatedValue from tblSomeTable GROUP BY ...
    (microsoft.public.access.queries)
  • Re: Select Query By Month.
    ... Post the SQL of the [Accounts By Month Query]. ... if I wanted to know which invoices are ...
    (microsoft.public.access.queries)
  • Re: DBMS and lisp, etc.
    ... Naively implemented with SQL, again for 10 ... (1 query for the initial orders, 1 query for each order for its ... soon as you upgrade to the SQL database. ... (eq (order-customer orderA) ...
    (comp.lang.lisp)