Sunday, March 11, 2012

Compare results from SQL to textbox?

I am trying to make a user authentication system which pulls data from a SQL table (that has columns "UserID" and "PIN" in it).

How can I check to see what the user entered into the "UserID" and "PIN" textbox's on the page and compare those entries to the database to see if they match up? I have been able to make the below code to do the query itself, but I don't know how to check back and see if it actually returned a match or not.


Function CheckLogin(ByVal userID As String, ByVal pIN As String) As System.Data.DataSet
Dim connectionString As String = "server='(local)'; trusted_connection=true; database='test'"
Dim dbConnection As System.Data.IDbConnection = New System.Data.SqlClient.SqlConnection(connectionString)

Dim queryString As String = "SELECT [UserAuth].[UserID], [UserAuth].[PIN] FROM [UserAuth] WHERE (([UserAuth].["& _
"UserID] like @.UserID) AND ([UserAuth].[PIN] like @.PIN))"
Dim dbCommand As System.Data.IDbCommand = New System.Data.SqlClient.SqlCommand
dbCommand.CommandText = queryString
dbCommand.Connection = dbConnection

Dim dbParam_userID As System.Data.IDataParameter = New System.Data.SqlClient.SqlParameter
dbParam_userID.ParameterName = "@.UserID"
dbParam_userID.Value = userID
dbParam_userID.DbType = System.Data.DbType.String
dbCommand.Parameters.Add(dbParam_userID)
Dim dbParam_pIN As System.Data.IDataParameter = New System.Data.SqlClient.SqlParameter
dbParam_pIN.ParameterName = "@.PIN"
dbParam_pIN.Value = pIN
dbParam_pIN.DbType = System.Data.DbType.String
dbCommand.Parameters.Add(dbParam_pIN)

Dim dataAdapter As System.Data.IDbDataAdapter = New System.Data.SqlClient.SqlDataAdapter
dataAdapter.SelectCommand = dbCommand
Dim dataSet As System.Data.DataSet = New System.Data.DataSet
dataAdapter.Fill(blah)

Return dataSet
End Function

First, don't use "like". Next, you can check dataSet.Tables[0].Rows[0].Count and if it is non-zero, there is a match.

You might want to look at using a query that returns the Count, and then just call ExecuteScaler() on the command rather than doing what you are doing.

Another thought: rather than storing the PID in clear text, excrypt it, or better yet, use a one-way hash.|||Well I just switched from using the free development tool on www.asp.net to ASP.NET included with Visual Studio and now I'm totally confused. Does anyone have any code snippets to do anything remotely close to this that I could use as an example? I'm so lost.|||This article will show you most of what you need to know.

No comments:

Post a Comment