Example #1
0
        protected void btnAddUser_Click(object sender, EventArgs e)
        {
            // Create a SqlConnection object
            SqlConnection conn = new SqlConnection(WebConfigurationManager.ConnectionStrings["MISConnectionString"].ToString());

            string firstName       = Request.Form["txtFirstName"].ToString().Trim();
            string lastName        = txtLastName.Text.Trim();
            string currentDateTime = DateTime.Now.ToString();

            // Parameterize the SQL statement values.
            // See: https://docs.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlcommand.prepare?view=dotnet-plat-ext-5.0

            SqlCommand cmdInsert = new SqlCommand(null, conn);

            cmdInsert.CommandText = "INSERT INTO Users " +
                                    "(FirstName, LastName, Email, Phone, Username, Password, RoleId, StatusId, LastLoginTime) " +
                                    "VALUES " +
                                    "(@firstName, @lastName, @email, @phone, @username, @password, @roleId, @statusId, @currentTimestamp)";

            SqlParameter paramFirstName = new SqlParameter("@firstName", SqlDbType.Text, 100);

            paramFirstName.Value = firstName;
            cmdInsert.Parameters.Add(paramFirstName);

            SqlParameter paramLastName = new SqlParameter("@lastName", SqlDbType.Text, 100);

            paramLastName.Value = lastName;
            cmdInsert.Parameters.Add(paramLastName);

            SqlParameter paramEmail = new SqlParameter("@email", SqlDbType.Text, 250);

            paramEmail.Value = txtEmail.Text.Trim();
            cmdInsert.Parameters.Add(paramEmail);

            SqlParameter paramPhone = new SqlParameter("@phone", SqlDbType.Text, 50);

            paramPhone.Value = txtPhone.Text.Trim();
            cmdInsert.Parameters.Add(paramPhone);

            SqlParameter paramUsername = new SqlParameter("@username", SqlDbType.Text, 50);

            paramUsername.Value = firstName[0].ToString().ToLower() + lastName.ToLower();
            cmdInsert.Parameters.Add(paramUsername);

            // A password hash is stored for new users.
            SqlParameter paramPassword  = new SqlParameter("@password", SqlDbType.Text, 1000);
            string       passwordPlain  = firstName + "." + lastName;
            string       passwordHashed = Hasher.Hash(passwordPlain);

            paramPassword.Value = passwordHashed;
            cmdInsert.Parameters.Add(paramPassword);

            SqlParameter paramRoleId = new SqlParameter("@roleId", SqlDbType.Int);

            paramRoleId.Value = 2;
            cmdInsert.Parameters.Add(paramRoleId);

            SqlParameter paramStatusId = new SqlParameter("@statusId", SqlDbType.Int);

            paramStatusId.Value = 1;
            cmdInsert.Parameters.Add(paramStatusId);

            SqlParameter paramCurrentTimestamp = new SqlParameter("@currentTimestamp", SqlDbType.DateTime);

            paramCurrentTimestamp.Value = currentDateTime;
            cmdInsert.Parameters.Add(paramCurrentTimestamp);

            conn.Open();
            cmdInsert.Prepare();
            cmdInsert.ExecuteNonQuery();
            conn.Close();

            Response.Redirect("Admin.aspx");
        }
Example #2
0
        protected void btnLogin_Click(object sender, EventArgs e)
        {
            string username      = txtUsername.Text.Trim().ToLower();
            string passwordPlain = txtPassword.Text.Trim();

            // Create a SQL connection object
            SqlConnection conn = new SqlConnection(WebConfigurationManager.ConnectionStrings["MISConnectionString"].ToString());
            SqlCommand    cmd  = new SqlCommand(null, conn);

            cmd.CommandText = "SELECT * FROM Users " +
                              "WHERE Username = @username ";

            SqlParameter paramUsername = new SqlParameter("@username", System.Data.SqlDbType.NVarChar, 50);

            paramUsername.Value = username;
            cmd.Parameters.Add(paramUsername);

            conn.Open();
            cmd.Prepare();
            SqlDataReader reader = cmd.ExecuteReader();

            if (!reader.HasRows)
            {
                lblLoginError.Text = "That didn't work. Please try again.";
            }
            else
            {
                reader.Read();

                string passwordStored = reader["Password"].ToString();

                int userId   = int.Parse(reader["Id"].ToString());
                int roleId   = int.Parse(reader["RoleId"].ToString());
                int statusId = int.Parse(reader["StatusId"].ToString());

                reader.Close();
                conn.Close();

                // Perform two types of password checks:
                //   1) a legacy check for plaintext passwords (to be deprecated and removed)
                //   2) a hash verification for users created after this commit.

                if (passwordPlain == passwordStored || Hasher.Verify(passwordPlain, passwordStored))
                {
                    // Set the session variables to be used in a security context.
                    Session["user_role_id"]   = roleId;
                    Session["user_user_id"]   = userId;
                    Session["user_status_id"] = statusId;

                    if (roleId == 1)  // Administrator
                    {
                        Response.Redirect("Admin.aspx");
                    }
                    else
                    {
                        if (statusId == 2)
                        {
                            lblLoginError.Text = "Your account is inactive. Please contact the administrator to reactivate your account first.";
                        }
                        else
                        {
                            Response.Redirect("Members.aspx?Id=" + userId);
                        }
                    }
                }
                else
                {
                    lblLoginError.Text = "That didn't work. Please try again.";
                }
            }
        }