I believe there are some problems with the code that you should go through. You have correctly used parameters, but have a look at following points.
string checkDatabase = "SELECT * FROM Users WHERE Email_Id = @em AND Password = @pas";
SqlCommand command = new SqlCommand(checkDatabase, myConnection);
command.Parameters.AddWithValue("@em", email.Text);
command.Parameters.AddWithValue("@pas", password.Text);
It looks like you're storing the password as plain text in your database. This is something you should never do. The passwords should be stored only using a one-way encryption so that the original password cannot be revealed. When verifying the user you don't need to know the password, you just need to know if it is correct. Have a look at
Password Storage: How to do it.[
^]
Another thing is how you store the connection in your class. You should use connection variable which would be scoped only to the method where you need it. Also to properly dispose the connection you should use a
using[
^] statement. And since you use the database connection anyway, why not open the connection before entering the if. In other words, something like:
protected void registerBtn_Click1(object sender, EventArgs e)
{
Page.Validate();
using (SqlConnection myConnection = new SqlConnection(ConfigurationManager.ConnectionStrings["DefaultConnectionString"].ConnectionString))
{
if (Page.IsValid)
{
...
}
else
{
...
}
}
}
For more discussion, see
Version 2, close and dispose database objects[
^]. Also you would need to add proper error handling...
string userInvalid = "The username entered is invalid, please choose another.";
string checkDatabase = "SELECT * FROM Users WHERE Email_Id = @em AND Password = @pas";
SqlCommand command = new SqlCommand(checkDatabase, myConnection);
command.Parameters.AddWithValue("@em", email.Text);
command.Parameters.AddWithValue("@pas", password.Text);
command.ExecuteNonQuery();
SqlDataReader reader = command.ExecuteReader();
if (reader.HasRows)
{
outputlabel.Text = userInvalid;
myConnection.Close();
}
The third thing is identifying the user. If I interpret your code correctly, you allow people to use the same id if the password is different. In my opinion it would be feasible to allow each id only once. The id is static whereas the password changes over time. For example if the user forgets the passwords and wants to reset it and you have two users with the same id in the system, which one will you reset?