protected void CustomerLogin_Click(object sender, EventArgs e)
{
//Declare SQL connection and command variables.
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
SqlCommand cmd = new SqlCommand();
SqlCommand cmd2 = new SqlCommand();
cmd.Connection = conn;
cmd.CommandText = "SELECT Password FROM Customer WHERE Email = @email";
cmd.Parameters.Add("@email", SqlDbType.NChar).Value = Email.Text;
cmd2.Connection = conn;
cmd2.CommandText = "SELECT ID, FirstName FROM Customer WHERE Email = @email";
cmd2.Parameters.Add("@email", SqlDbType.NChar).Value = Email.Text;
conn.Open();
//Check if any email address in the database matches the one entered. If no rows are returned, generate an error message. Otherwise, proceed.
SqlDataReader reader = cmd.ExecuteReader();
if (reader.HasRows == false)
{
Error.Text = "Incorrect email address.";
}
else
{
while (reader.Read())
{
//Sets the hashed password variable.
hashedPassword = reader["Password"].ToString();
}
reader.Close();
//Checks the hashed password. If it isn't correct, generate an error message. If it is, set session ID and message and redirect to the User page.
bool correct = Salt.Verify(Password.Text, hashedPassword);
if (correct == false)
{
Error.Text = "Incorrect password.";
}
else
{
SqlDataReader reader2 = cmd2.ExecuteReader();
while (reader2.Read())
{
Session["Id"] = Int32.Parse(reader2["Id"].ToString());
Session["Message"] = "Welcome, " + reader2["FirstName"].ToString() + ".";
}
Response.Redirect("Customer.aspx");
}
}
}
protected void CreateAccount_Click(object sender, EventArgs e)
{
//Check if the user has entered something for all fields (only Address2 can be blank.) If any other field is blank, returns an error message.
if (FirstName.Text == null || Surname.Text == null || Password.Text == null || ContactNumber.Text == null || Email.Text == null || Address1.Text == null || TownCity.Text == null || County.Text == null || Postcode.Text == null)
{
Error.Text = "You must enter something for all fields.";
}
else
{
//Declare SQL connection and command variables, and set them up.
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
SqlCommand cmd = new SqlCommand();
SqlCommand cmd2 = new SqlCommand();
cmd.Connection = conn;
cmd.CommandText = "SELECT COUNT(*) FROM Customer WHERE Email = @email";
cmd2.Connection = conn;
cmd2.CommandText = "INSERT INTO Customer(FirstName, Surname, Password, ContactNumber, Email, Address1, Address2, TownCity, County, Postcode) VALUES (@firstname, @surname, @password, @contactnumber, @email, @address1, @address2, @towncity, @county, @postcode)";
cmd.Parameters.Add("@email", SqlDbType.VarChar).Value = Email.Text;
cmd2.Parameters.Add("@firstname", SqlDbType.VarChar).Value = FirstName.Text;
cmd2.Parameters.Add("@surname", SqlDbType.VarChar).Value = Surname.Text;
cmd2.Parameters.Add("@password", SqlDbType.VarChar).Value = Salt.Encode(Password.Text, null);
cmd2.Parameters.Add("@contactnumber", SqlDbType.VarChar).Value = ContactNumber.Text;
cmd2.Parameters.Add("@email", SqlDbType.VarChar).Value = Email.Text;
cmd2.Parameters.Add("@address1", SqlDbType.VarChar).Value = Address1.Text;
cmd2.Parameters.Add("@address2", SqlDbType.VarChar).Value = Address2.Text;
cmd2.Parameters.Add("@towncity", SqlDbType.VarChar).Value = TownCity.Text;
cmd2.Parameters.Add("@county", SqlDbType.VarChar).Value = County.Text;
cmd2.Parameters.Add("@postcode", SqlDbType.VarChar).Value = Postcode.Text;
conn.Open();
int rowNumber = (int)cmd.ExecuteScalar();
//If the email address entered is a duplicate, generate an error message. If not, create a new user account and return to the starting page.
if (rowNumber > 0)
{
Error.Text = "That email address is already in use.";
}
else
{
cmd2.ExecuteNonQuery();
conn.Close();
Response.Redirect("Start.aspx");
}
}
}
protected void Submit_Click(object sender, EventArgs e)
{
//If the New Password and Confirm New Password text boxes do not match, generate an error message. If they do, proceed.
if (NewPassword.Text != ConfirmNewPassword.Text)
{
Error.Text = "New Password and Confirm New Password do not match.";
}
else
{
//Declare connection and SQL query variables.
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
SqlCommand cmd = new SqlCommand();
cmd.Connection = conn;
cmd.CommandText = "SELECT AdminPassword FROM AdminPassword WHERE Id = '1'";
conn.Open();
SqlDataReader reader = cmd.ExecuteReader();
while (reader.Read())
{
//Retrieve the universal admin password.
hashedPassword = reader["AdminPassword"].ToString();
}
reader.Close();
//Checks if the input existing password is correct. If it is, proceeds. If not, generates an error message.
bool correct = Salt.Verify(OldPassword.Text, hashedPassword);
if (correct == false)
{
Error.Text = "Incorrect old password.";
}
else
{
SqlCommand cmd2 = new SqlCommand();
cmd2.Connection = conn;
//Updates the universal admin password, changes the message to reflect this, and redirects to the Admin page.
cmd2.CommandText = "UPDATE AdminPassword SET AdminPassword = @newPassword WHERE Id = '1'";
cmd2.Parameters.Add("@newPassword", SqlDbType.VarChar).Value = Salt.Encode(NewPassword.Text, null);
cmd2.ExecuteNonQuery();
Session["AdminMessage"] = "Admin password successfully changed.";
Response.Redirect("Admin.aspx");
}
//Closes the database connection.
conn.Close();
}
}
protected void Submit_Click(object sender, EventArgs e)
{
//If all fields are blank, generate an error message. Otherwise, declare SQL connection and command variables and update the relevant record in the database with all non-blank fields, update the session message to reflect this, and redirect to the User page.
if (FirstName.Text == "" && Surname.Text == "" && Password.Text == "" && ContactNumber.Text == "" && Email.Text == "" && Address1.Text == "" && Address2.Text == "" && TownCity.Text == "" && County.Text == "" && Postcode.Text == "")
{
Error.Text = "You must enter at least one variable to edit.";
}
else
{
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
SqlCommand cmd = new SqlCommand();
SqlCommand cmd2 = new SqlCommand();
cmd.Connection = conn;
cmd.CommandText = "SELECT * FROM Customer WHERE Id = @id";
cmd.Parameters.Add("@id", SqlDbType.Int).Value = Session["Id"];
cmd2.Connection = conn;
cmd2.CommandText = "UPDATE Customer SET FirstName = @firstName, Surname = @surname, Password = @password, ContactNumber = @contactNumber, Email = @email, Address1 = @address1, Address2 = @address2, TownCity = @townCity, County = @county, Postcode = @postcode WHERE Id = @id";
cmd2.Parameters.Add("@id", SqlDbType.Int).Value = Session["Id"];
conn.Open();
SqlDataReader reader = cmd.ExecuteReader();
while (reader.Read())
{
if (FirstName.Text == "")
{
cmd2.Parameters.Add("@firstName", SqlDbType.VarChar).Value = reader["FirstName"].ToString();
}
else
{
cmd2.Parameters.Add("@firstName", SqlDbType.VarChar).Value = FirstName.Text;
}
if (Surname.Text == "")
{
cmd2.Parameters.Add("@surname", SqlDbType.VarChar).Value = reader["Surname"].ToString();
}
else
{
cmd2.Parameters.Add("@surname", SqlDbType.VarChar).Value = Surname.Text;
}
if (Password.Text == "")
{
cmd2.Parameters.Add("@password", SqlDbType.VarChar).Value = reader["Password"].ToString();
}
else
{
cmd2.Parameters.Add("@password", SqlDbType.VarChar).Value = Salt.Encode(Password.Text, null);
}
if (ContactNumber.Text == "")
{
cmd2.Parameters.Add("@contactNumber", SqlDbType.VarChar).Value = reader["ContactNumber"].ToString();
}
else
{
cmd2.Parameters.Add("@contactNumber", SqlDbType.VarChar).Value = ContactNumber.Text;
}
if (Email.Text == "")
{
cmd2.Parameters.Add("@email", SqlDbType.VarChar).Value = reader["Email"].ToString();
}
else
{
cmd2.Parameters.Add("@email", SqlDbType.VarChar).Value = Email.Text;
}
if (Address1.Text == "")
{
cmd2.Parameters.Add("@address1", SqlDbType.VarChar).Value = reader["Address1"].ToString();
}
else
{
cmd2.Parameters.Add("@address1", SqlDbType.VarChar).Value = Address1.Text;
}
if (Address2.Text == "" && LeaveBlank.Checked == false)
{
cmd2.Parameters.Add("@address2", SqlDbType.VarChar).Value = reader["Address2"].ToString();
}
else
{
cmd2.Parameters.Add("@address2", SqlDbType.VarChar).Value = Address2.Text;
}
if (TownCity.Text == "")
{
cmd2.Parameters.Add("@townCity", SqlDbType.VarChar).Value = reader["TownCity"].ToString();
}
else
{
cmd2.Parameters.Add("@townCity", SqlDbType.VarChar).Value = TownCity.Text;
}
if (County.Text == "")
{
cmd2.Parameters.Add("@county", SqlDbType.VarChar).Value = reader["County"].ToString();
}
else
{
cmd2.Parameters.Add("@county", SqlDbType.VarChar).Value = County.Text;
}
if (Postcode.Text == "")
{
cmd2.Parameters.Add("@postcode", SqlDbType.VarChar).Value = reader["Postcode"].ToString();
}
else
{
cmd2.Parameters.Add("@postcode", SqlDbType.VarChar).Value = Postcode.Text;
}
}
reader.Close();
cmd2.ExecuteNonQuery();
conn.Close();
Session["Message"] = "Your details have been successfully updated.";
Response.Redirect("Customer.aspx");
}
}