How to solve ASP.NET custom login page error?

Question

In Login.aspx.cs file

The codes are following

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;
using System.Data;
using System.Web.Configuration;

namespace Leave_Management
{
    public partial class Login : System.Web.UI.Page
    {
        //private string strcon = WebConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;

        SqlConnection conn = new SqlConnection(@"Data Source=TAUFIQ-PC\SQLEXPRESS;Initial Catalog=LM;Integrated Security=True");

        protected void Page_Load(object sender, EventArgs e)
        {

        }

        protected void Button1_Click(object sender, EventArgs e)
        {
            conn.Open();
            string checkuser = "select UserName from [User] where UserName='" + TextBoxUN + "'";
            SqlCommand com = new SqlCommand(checkuser, conn);

            int temp = Convert.ToInt32(com.ExecuteScalar().ToString());


            if (temp == 1)
            {
                string checkpass = "select password from [User] where UserName='" + TextBoxUN + "'";
                SqlCommand passcom = new SqlCommand(checkpass, conn);
                string password = passcom.ExecuteScalar().ToString().Replace(" ", "");
                conn.Close();
                if (password == TextBoxPass.Text)
                {
                    Response.Redirect("Registration.aspx");
                }
            } 
        }
    }
}

An Error is showing as

"NullReferenceException was unhandled by user code"

int temp = Convert.ToInt32(com.ExecuteScalar().ToString());

Please help me to solve this.

Answer 1

Too long for a comment, there are many things wrong with your code:

You are concatenating user-specified values into SQL queries. Don't do it, use parameters.

You are putting TextBoxUN into the SQL, you probably want TextBoxUN.Text. This is the reason you get null, since there is no user with that name.

You must take the value provided by ExecuteScalar() and check if it is null. Now it is, so you get a clear error about it.

Why get the username from the database with the username and then check for password? You can check for password and username with one query.

Do not store passwords in cleartext in the database! Use hash functions.

Answer 2

You can just simplify your code by checking both username and password from the SQL statement:

protected void Button1_Click(object sender, EventArgs e)
{
    conn.Open();
    string SQL = "select UserID from [User] where UserName=@UserName AND Password=@Password"; 
    SqlCommand com = new SqlCommand(SQL, conn);
    com.Parameters.AddWithValue("@UserName", TextBoxUN.Text);
    com.Parameters.AddWithValue("@Password", TextBoxPass.Text);
    SqlDataReader data = com.ExecuteReader();
    if (data.HasRows) // username and password match
    {
        conn.Close();
        Response.Redirect("Registration.aspx");
    }
    else
    {
        conn.Close();
        // display error here
    }
}

I assume that UserID is the primary key of your Users table. You can use other column names if you want.

I also used parameters to avoid SQL injection. Cheers!

Answer 3

if temp comes up as null, then you will get the error. I would try:

...

   int temp = 0;
   try {
       temp = Convert.ToInt32(com.ExecuteScalar().ToString());
   } catch (exception) {}

...