User Login - keeping hold of details through system

[banks]

Hi, ihave a simple login page. This works fine, but what i need to do is store the userID that is being selected in the Stored Procedure so that i can use it throughout the rest if the system. The reason i need it is so when a user logs onto a new page, their name is displayed somewhere on the screen.

    Public Sub btnLogin_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnLogin.Click
        Dim sql = "SELECT UserID FROM tblUser WHERE LoginName='" & txtUserName.Text & "' AND LoginPassword='" & txtPassword.Text & "'"

        Dim conn As OleDbConnection = carDba.getCn
        Dim cmd As OleDbCommand
        Dim userID As Integer


        cmd = New OleDbCommand(sql, conn)
        conn.Open()
        Dim dr As OleDbDataReader = cmd.ExecuteReader

        Try
            If dr.Read = False Then
                MessageBox.Show("Authentication failed...")
            Else
                MessageBox.Show("Login successfully...")

                Dim main As New mdiCAR
                With main
                    .WindowState = FormWindowState.Maximized
                    .ControlBox = True
                    .Show()
                End With

            End If
        Catch ex As Exception
            MsgBox(ex.Message)
        End Try

        conn.Close()



    End Sub

Does this look easily achievable from the above code? Any help on the matter i smuch apreciated...

Alex

 

[kulrom]

Just declare global variable and always when user opens a new form with permission you check that out.

 

[banks]

How do i assign it to a global variable tho i.e. how do i put the UserID in my select statement into that variabkle

dim userid as integer = ????

 

[vis781]

Add a module to your solution, declare a variable in that module, somthing like..

Friend Shared UserId As String// accessible only to the current application
 
or
 
Public Shared UserId As String// accessible to all

To use it..

ModuleName.UserID = UserName

Nb You dont need an instance of the module to use the shared variable within.

 

[banks]

yeah but userName isn't declared anywhere - how do i get it from the sql statement - i select userID (thats what i want), i have tried:-

dbaCAR.UserId = UserID

but userID is not declared in the login module - i basically need the result of that select

 

[vis781]

You are using a datareader to get the info from the datasource right? It exposes getstring, getvalue methods. You can obtain the userid from there using the column ordinal.

 

[cjard]

I'd love to play with your system.. did you know if i enter this into the password box, then i can log into your system regardless of what the username and password i enter is?

secret' OR '1'='1


other points of note:
youre not using a stored procedure. if you were, i couldnt hack your system in this way

when vis781 says "dont need an instance of the module" he is correct; modules cannot be instantiated because the compiler makes just one instance of a module, and it is named with the module's name. access is like this, for example:
Module1.UserID

 

[cjard]

oh and.. it looks like your tblUser holds everyone's usernames and passwords in plain text.. another security tip would be to store the result of

txtPassword.Text.GetHashCode()

when a string is hashed, it turns into a bunch of junk and the conversion is pretty much 1 way..

so abc might become 1A3C22BE691ADF

we dont particularly care about storing abc as a password, because only the string abc will have that hashcode...

i.e. we store the hashcode becuase:

the hashcode can be derived from the correct password easily
the password cannot be derived from the hashcode easily

if the use types the wrong pasword, they generate the wrong hashcode and the search gets no results. this is better than storing the passworrd

 

[banks]

Cool, figured it out....

Dim spo As String = dr.GetString(1)

wasn;t that hard was it ;-)

 

[cjard]

i really dont recommend that you use numbers.. magic number never did anyone any favours. do this instead:

Dim spo As String = dr.GetString("full name")

note that the string needs to be the column name..so if your select says:

SELECT userID, password, fullName, permissions FROM users...

then you can say:

GetString("userID")
GetString("password")
GetString("fullName")
GetString("permissions")

if you alias them:

SELECT uid as User_ID, pwd as Password FROM users

then you use the aliases: GetString("User_ID") not the column names...


it's not hard to write code, but it's harder to write good code, that is readable and secure.. those areas of your code need some improvement, but thats what we are here to help with..

 

[banks]

using the column names like you explained previously gave me an error that i couldn't cast from string userID to integer....

i used get value as its returning an integer

dbaCAR.UserId = dr.GetValue("UserID")

 

[cjard]

ah.. sincere apologies.. I forgot there was a difference with datareaders.. Next bit of advice then:

You can use the GetOrdinal() function to return you the ordinal of the named column.. so my advice to you should have been

Dim userid as String = dr.GetString(dr.GetOrdinal("userID"))

sorry about that