Public Sub OnLogonBetter(ByVal Src As Object, ByVal E As EventArgs)
Dim userName As String = txtUser.Text
Dim passwd As String = txtPassword.Text
' step one, validate userName and password
' this could also be done with server controls, which is recommended
' allow only letters and digits and underscore
' Dim valid = new Regex("^[a-zA-Z0-9]+$")
' still bad: SQL connection string is hardcoded in program source
' better: using integrated auth and least privilege on table
Dim conn As New SqlConnection("server=(local);database=formsdb;Trusted_Connection=True")
' better practice: using parameterized queries or stored procedures
Dim cmd As New SqlCommand("select username, password from userinfo where username=@username and password=@passwd", conn)
Dim param As SqlParameter = cmd.Parameters.Add("@username", SqlDbType.NVarChar, 30)
param.Value = userName
param = cmd.Parameters.Add("@passwd", SqlDbType.NVarChar, 30)
param.Value = passwd
conn.Open()
Dim rdr As SqlDataReader = cmd.ExecuteReader()
Dim ok As Boolean = False
Try
If rdr.HasRows() Then
If rdr.Read Then
If rdr.GetString(0) = userName And rdr.GetString(1) = passwd Then
Msg.Text = "Welcome, " & Server.HtmlEncode(userName)
ok = True
End If
End If
End If
If Not ok Then
' think hard about whether or not to log the password (don't unless there's a good reason for it)
' the SQL query above could be altered to just return the username
' with an explicit password comparison to provide more info about what went wrong
LogFailure(userName)
Msg.Text = String.Format("Invalid Logon for {0}, please try again", Server.HtmlEncode(userName))
End If
Finally
rdr.Close()
conn.Close()
End Try
End Sub
Dim userName As String = txtUser.Text
Dim passwd As String = txtPassword.Text
' step one, validate userName and password
' this could also be done with server controls, which is recommended
' allow only letters and digits and underscore
' Dim valid = new Regex("^[a-zA-Z0-9]+$")
' still bad: SQL connection string is hardcoded in program source
' better: using integrated auth and least privilege on table
Dim conn As New SqlConnection("server=(local);database=formsdb;Trusted_Connection=True")
' better practice: using parameterized queries or stored procedures
Dim cmd As New SqlCommand("select username, password from userinfo where username=@username and password=@passwd", conn)
Dim param As SqlParameter = cmd.Parameters.Add("@username", SqlDbType.NVarChar, 30)
param.Value = userName
param = cmd.Parameters.Add("@passwd", SqlDbType.NVarChar, 30)
param.Value = passwd
conn.Open()
Dim rdr As SqlDataReader = cmd.ExecuteReader()
Dim ok As Boolean = False
Try
If rdr.HasRows() Then
If rdr.Read Then
If rdr.GetString(0) = userName And rdr.GetString(1) = passwd Then
Msg.Text = "Welcome, " & Server.HtmlEncode(userName)
ok = True
End If
End If
End If
If Not ok Then
' think hard about whether or not to log the password (don't unless there's a good reason for it)
' the SQL query above could be altered to just return the username
' with an explicit password comparison to provide more info about what went wrong
LogFailure(userName)
Msg.Text = String.Format("Invalid Logon for {0}, please try again", Server.HtmlEncode(userName))
End If
Finally
rdr.Close()
conn.Close()
End Try
End Sub