protected void btnAddUser_Click(object sender, EventArgs e)
{
// Create a SqlConnection object
SqlConnection conn = new SqlConnection(WebConfigurationManager.ConnectionStrings["MISConnectionString"].ToString());
string firstName = Request.Form["txtFirstName"].ToString().Trim();
string lastName = txtLastName.Text.Trim();
string currentDateTime = DateTime.Now.ToString();
// Parameterize the SQL statement values.
// See: https://docs.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlcommand.prepare?view=dotnet-plat-ext-5.0
SqlCommand cmdInsert = new SqlCommand(null, conn);
cmdInsert.CommandText = "INSERT INTO Users " +
"(FirstName, LastName, Email, Phone, Username, Password, RoleId, StatusId, LastLoginTime) " +
"VALUES " +
"(@firstName, @lastName, @email, @phone, @username, @password, @roleId, @statusId, @currentTimestamp)";
SqlParameter paramFirstName = new SqlParameter("@firstName", SqlDbType.Text, 100);
paramFirstName.Value = firstName;
cmdInsert.Parameters.Add(paramFirstName);
SqlParameter paramLastName = new SqlParameter("@lastName", SqlDbType.Text, 100);
paramLastName.Value = lastName;
cmdInsert.Parameters.Add(paramLastName);
SqlParameter paramEmail = new SqlParameter("@email", SqlDbType.Text, 250);
paramEmail.Value = txtEmail.Text.Trim();
cmdInsert.Parameters.Add(paramEmail);
SqlParameter paramPhone = new SqlParameter("@phone", SqlDbType.Text, 50);
paramPhone.Value = txtPhone.Text.Trim();
cmdInsert.Parameters.Add(paramPhone);
SqlParameter paramUsername = new SqlParameter("@username", SqlDbType.Text, 50);
paramUsername.Value = firstName[0].ToString().ToLower() + lastName.ToLower();
cmdInsert.Parameters.Add(paramUsername);
// A password hash is stored for new users.
SqlParameter paramPassword = new SqlParameter("@password", SqlDbType.Text, 1000);
string passwordPlain = firstName + "." + lastName;
string passwordHashed = Hasher.Hash(passwordPlain);
paramPassword.Value = passwordHashed;
cmdInsert.Parameters.Add(paramPassword);
SqlParameter paramRoleId = new SqlParameter("@roleId", SqlDbType.Int);
paramRoleId.Value = 2;
cmdInsert.Parameters.Add(paramRoleId);
SqlParameter paramStatusId = new SqlParameter("@statusId", SqlDbType.Int);
paramStatusId.Value = 1;
cmdInsert.Parameters.Add(paramStatusId);
SqlParameter paramCurrentTimestamp = new SqlParameter("@currentTimestamp", SqlDbType.DateTime);
paramCurrentTimestamp.Value = currentDateTime;
cmdInsert.Parameters.Add(paramCurrentTimestamp);
conn.Open();
cmdInsert.Prepare();
cmdInsert.ExecuteNonQuery();
conn.Close();
Response.Redirect("Admin.aspx");
}
protected void btnLogin_Click(object sender, EventArgs e)
{
string username = txtUsername.Text.Trim().ToLower();
string passwordPlain = txtPassword.Text.Trim();
// Create a SQL connection object
SqlConnection conn = new SqlConnection(WebConfigurationManager.ConnectionStrings["MISConnectionString"].ToString());
SqlCommand cmd = new SqlCommand(null, conn);
cmd.CommandText = "SELECT * FROM Users " +
"WHERE Username = @username ";
SqlParameter paramUsername = new SqlParameter("@username", System.Data.SqlDbType.NVarChar, 50);
paramUsername.Value = username;
cmd.Parameters.Add(paramUsername);
conn.Open();
cmd.Prepare();
SqlDataReader reader = cmd.ExecuteReader();
if (!reader.HasRows)
{
lblLoginError.Text = "That didn't work. Please try again.";
}
else
{
reader.Read();
string passwordStored = reader["Password"].ToString();
int userId = int.Parse(reader["Id"].ToString());
int roleId = int.Parse(reader["RoleId"].ToString());
int statusId = int.Parse(reader["StatusId"].ToString());
reader.Close();
conn.Close();
// Perform two types of password checks:
// 1) a legacy check for plaintext passwords (to be deprecated and removed)
// 2) a hash verification for users created after this commit.
if (passwordPlain == passwordStored || Hasher.Verify(passwordPlain, passwordStored))
{
// Set the session variables to be used in a security context.
Session["user_role_id"] = roleId;
Session["user_user_id"] = userId;
Session["user_status_id"] = statusId;
if (roleId == 1) // Administrator
{
Response.Redirect("Admin.aspx");
}
else
{
if (statusId == 2)
{
lblLoginError.Text = "Your account is inactive. Please contact the administrator to reactivate your account first.";
}
else
{
Response.Redirect("Members.aspx?Id=" + userId);
}
}
}
else
{
lblLoginError.Text = "That didn't work. Please try again.";
}
}
}
