protected void Login_Click(object sender, EventArgs e) { //Declares a connection and SQL command variable. SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString); SqlCommand cmd = new SqlCommand(); cmd.Connection = conn; cmd.CommandText = "SELECT AdminPassword FROM AdminPassword WHERE Id='1'"; conn.Open(); SqlDataReader reader = cmd.ExecuteReader(); while (reader.Read()) { //Retrieves the universal admin password. hashedPassword = reader["AdminPassword"].ToString(); } //Checks if the hashed password is correct. If it is, grants access. If not, returns an error message. bool correct = Salt.Verify(AdminPassword.Text, hashedPassword); if (correct == false) { Error.Text = "Incorrect password."; } else { Session["AdminUsername"] = "******"; Session["AdminMessage"] = "Welcome."; Response.Redirect("Admin.aspx"); } //Closes the database connection. conn.Close(); }
protected void CustomerLogin_Click(object sender, EventArgs e) { //Declare SQL connection and command variables. SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString); SqlCommand cmd = new SqlCommand(); SqlCommand cmd2 = new SqlCommand(); cmd.Connection = conn; cmd.CommandText = "SELECT Password FROM Customer WHERE Email = @email"; cmd.Parameters.Add("@email", SqlDbType.NChar).Value = Email.Text; cmd2.Connection = conn; cmd2.CommandText = "SELECT ID, FirstName FROM Customer WHERE Email = @email"; cmd2.Parameters.Add("@email", SqlDbType.NChar).Value = Email.Text; conn.Open(); //Check if any email address in the database matches the one entered. If no rows are returned, generate an error message. Otherwise, proceed. SqlDataReader reader = cmd.ExecuteReader(); if (reader.HasRows == false) { Error.Text = "Incorrect email address."; } else { while (reader.Read()) { //Sets the hashed password variable. hashedPassword = reader["Password"].ToString(); } reader.Close(); //Checks the hashed password. If it isn't correct, generate an error message. If it is, set session ID and message and redirect to the User page. bool correct = Salt.Verify(Password.Text, hashedPassword); if (correct == false) { Error.Text = "Incorrect password."; } else { SqlDataReader reader2 = cmd2.ExecuteReader(); while (reader2.Read()) { Session["Id"] = Int32.Parse(reader2["Id"].ToString()); Session["Message"] = "Welcome, " + reader2["FirstName"].ToString() + "."; } Response.Redirect("Customer.aspx"); } } }
protected void Submit_Click(object sender, EventArgs e) { //If the New Password and Confirm New Password text boxes do not match, generate an error message. If they do, proceed. if (NewPassword.Text != ConfirmNewPassword.Text) { Error.Text = "New Password and Confirm New Password do not match."; } else { //Declare connection and SQL query variables. SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString); SqlCommand cmd = new SqlCommand(); cmd.Connection = conn; cmd.CommandText = "SELECT AdminPassword FROM AdminPassword WHERE Id = '1'"; conn.Open(); SqlDataReader reader = cmd.ExecuteReader(); while (reader.Read()) { //Retrieve the universal admin password. hashedPassword = reader["AdminPassword"].ToString(); } reader.Close(); //Checks if the input existing password is correct. If it is, proceeds. If not, generates an error message. bool correct = Salt.Verify(OldPassword.Text, hashedPassword); if (correct == false) { Error.Text = "Incorrect old password."; } else { SqlCommand cmd2 = new SqlCommand(); cmd2.Connection = conn; //Updates the universal admin password, changes the message to reflect this, and redirects to the Admin page. cmd2.CommandText = "UPDATE AdminPassword SET AdminPassword = @newPassword WHERE Id = '1'"; cmd2.Parameters.Add("@newPassword", SqlDbType.VarChar).Value = Salt.Encode(NewPassword.Text, null); cmd2.ExecuteNonQuery(); Session["AdminMessage"] = "Admin password successfully changed."; Response.Redirect("Admin.aspx"); } //Closes the database connection. conn.Close(); } }