eddyperu
asked on
How to create Login Page with Mysql?
HI experts!
I have created a database in mysql(smcofchristlogin)and a table called "login" with fields (username,password).
In my aspx page I created two textboxes(username, password) also I have a imagebutton called "logon"
Note : I am not using the Login controls in asp.net.
So how to create a login page in such a way that when I press the logon button, the program can go to my database and check if the values from the textboxes are the same value from my table (username and password).
If there are not , write a message "You are not authorized to see this page" , by the way this is an asp label.
I am using C# server side and Mysql
Thanks for your help
I have created a database in mysql(smcofchristlogin)and
In my aspx page I created two textboxes(username, password) also I have a imagebutton called "logon"
Note : I am not using the Login controls in asp.net.
So how to create a login page in such a way that when I press the logon button, the program can go to my database and check if the values from the textboxes are the same value from my table (username and password).
If there are not , write a message "You are not authorized to see this page" , by the way this is an asp label.
I am using C# server side and Mysql
Thanks for your help
protected void Logon_Click(object sender, ImageClickEventArgs e)
{
string host = "localhost";
string database = "smcofchristlogin";
string user = "root";
string password = "";
string strSQL = "SELECT * FROM login";
string strProvider = "Data Source=" + host + ";Database=" + database + ";User ID=" + user + ";Password=" + password;
MySqlConnection mysqlCon = new MySqlConnection(strProvider);
mysqlCon.Open();
if (mysqlCon.State.ToString() == "Open")
{
MySqlCommand mysqlCmd = new MySqlCommand(strSQL, mysqlCon);
MySqlDataReader mysqlReader = mysqlCmd.ExecuteReader();
}
mysqlCon.Close();
}
The most popular way to secure your login is by storing the passwords in the database encrypted with MD5 and to compare the MD5 string in the database with the MD5 string of your password at login. In this way you avoid mysql injection.
Hope this helps.
Hope this helps.
ASKER
I saw that but I heard that it is to hack it....
If anybody knows how to load/save a MD5 hash into mysql using asp.NET 2.0(C#).
examples will be great, I ma new suing this programs...
Thanks
If anybody knows how to load/save a MD5 hash into mysql using asp.NET 2.0(C#).
examples will be great, I ma new suing this programs...
Thanks
ASKER
..sorry I mean to easy to hack!
I was just about to tell you to use 'mysql_real_escape_string' but i remembered you are using C# :). So i did a little research an this is what i've come up with::
'PHP, if properly coded, is perfectly safe. SQL statements in your PHP code are unavoidable, and in fact encouraged if you're using MySQL, where the mysql_real_escape_string function works perfectly to prevent attacks of this sort. MSSQL, even in PHP, is another matter--stored procedures are the way to go, simply because there's no MS equivalent to mysql_real_escape_string, and this function won't block every possible attack on MSSQL.
So yes, basic good practices apply here too--if you MUST use embedded SQL statements, parameterize each and every variable before using it in the SQL statement. Otherwise, use stored procedures. In either case, use restricted logins that are only capable of doing what they absolutely must do--no need for your reporting system to have UPDATE, INSERT, or DELETE capabilities.'
Let me know if this answers your question.
'PHP, if properly coded, is perfectly safe. SQL statements in your PHP code are unavoidable, and in fact encouraged if you're using MySQL, where the mysql_real_escape_string function works perfectly to prevent attacks of this sort. MSSQL, even in PHP, is another matter--stored procedures are the way to go, simply because there's no MS equivalent to mysql_real_escape_string, and this function won't block every possible attack on MSSQL.
So yes, basic good practices apply here too--if you MUST use embedded SQL statements, parameterize each and every variable before using it in the SQL statement. Otherwise, use stored procedures. In either case, use restricted logins that are only capable of doing what they absolutely must do--no need for your reporting system to have UPDATE, INSERT, or DELETE capabilities.'
Let me know if this answers your question.
ASKER
Would you mind to send me a good tutorial about store procedure and how to use with MySQL...
I don't know how to code with PHP that is going to be a problem, isn't it?
thanks
I don't know how to code with PHP that is going to be a problem, isn't it?
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys for your help :)
Open in new window