Saturday 16 March 2013

how to Protect your Login or Website or How to Restrict the Dummy user Login in asp.net

Posted on by aspsolutionkirit with No comments

Description:-


                  in this example we explain that how to protect your login form because there is a number of UID and PWD that are eligible to login in your application without have no registration in your site. 

For Ex:- By using 1'or'1'='1 this UID and PWD you can login most of the application.

to Restrict that sitution you must create your login form query by using @ sign and pass the parameter name.

for ex:-


SqlCommand cmd = new SqlCommand("select * from stud where unm=@ud and pwd=@pd", cn);
        cmd.Parameters.AddWithValue("@ud", TextBox1.Text);
        cmd.Parameters.AddWithValue("@pd", TextBox2.Text);

this three line can restrict the user to login in your site.

Today in modern world  thousands of Dummy user can view or Edit your site without Registering to Restict this type of sitution this Example is very useful.

You can also Restrict the Site by using Procedure to show procedure Example Click Here



Example:-

string conn = @"Data Source=SQLDB;Initial Catalog=Demo;User ID=Demod;Password=Demo1@";
      
        SqlConnection cn = new SqlConnection(conn);
        cn.Open();
        Session["unm"] = TextBox1.Text.ToString();
        Session["pwd"] = TextBox2.Text.ToString();
      
       //string query = "select *from stud where unm='" +Session["unm"].ToString()+ "' and pwd='" +Session["pwd"].ToString()+ "'";
       // string query = "select * from stud where unm=@ud,pwd=@pd";

      // string u = "update stud set state =1 where unm='" + Session["unm"].ToString() + "' and pwd='" + Session["pwd"].ToString() + "'";
      
        SqlCommand cmd = new SqlCommand("select * from stud where unm=@ud and pwd=@pd",cn);
        cmd.Parameters.AddWithValue("@ud", TextBox1.Text);
        cmd.Parameters.AddWithValue("@pd", TextBox2.Text);
        SqlDataAdapter sa = new SqlDataAdapter(cmd);
      //  SqlCommand cmd1 = new SqlCommand(u, cn);
        cmd.ExecuteNonQuery();
        DataTable dt = new DataTable();
       // sa.SelectCommand = cmd;

        sa.Fill(dt);

    
        /*SqlDataReader sr = cmd.ExecuteReader();
        bool b = sr.HasRows;
        sr.Close();*/
        if (dt.Rows.Count>0)
        {
            //int i=cmd1.ExecuteNonQuery();
           // if(i>0)
            Response.Redirect("~/loadlogin.aspx");
        }
        else
        {
            ClientScript.RegisterClientScriptBlock(this.GetType(), "ke", "<script>alert('wrong username and password');</script>");

        }

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)