I'm new to coding in asp.net . I have done a (web form) login page and its validation in asp.net + c#. The problem is when i enter the password corresponding to the email in lower-case/upper-case letters, it grants me entry which is not supposed to happen. I have gone through a number of codes posted here for login page but the same thing is happening. For eg,if the password in db is "ss"and if we type "ss","Ss", "sS" or "SS" ; i'm able to sign in. How can i stop this from happening?
I'm posting my code here. Please help.
protected void btn_login1_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection(@"Data Source=SHA\SQLE2012;Initial Catalog=OnlineShoppingStore;User ID=sa;Password=56238");
con.Open();
SqlCommand cmd = new SqlCommand("usp_ViewUserByUserId", con);
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.AddWithValue("@Email", txt_email.Text);
cmd.Parameters.AddWithValue("@Password", txt_password.Text);
string output = cmd.ExecuteScalar().ToString();
cmd.ExecuteNonQuery();
if (output =="1")
{
Response.Write("<script>alert('Login Successful!!')</script>");
Session["Email"] = txt_email.Text;
Response.Redirect("Home.aspx");
}
else
Response.Write("<script>alert('Login Failed! Incorrect username/password')</script>");
con.Close();
}
This is my stored Procedure
ALTER PROCEDURE [dbo].[usp_ViewUserByUserId]
@Email as varchar(50),
@Password as varchar(50)
AS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;
select count(*) from tbl_Customer where Email = @Email and Password = @Password
end
