[ASP.NET] Update SQL date/time field upon successful login?

[SirEvan]

I'm trying to get my feet wet in ASP.net programming, as one of our companies applications is designed in it, and while I understand VB.net, ASP.net is a little strange to me. As a test, I've started working on a database driven web application that has a log in form. The log in form makes a call to an SQL database to see if the users name and PW exist in a table. If they do, it redirects them to the main form. SO far everything is working, but now I'd like to do a test by having the form write the current date/time back to the database to a field called "LastLogin" if their result was found.

What I have so far:

Partial Class Login
    Inherits System.Web.UI.Page


    Public Sub LogIn(ByVal sender As Object, ByVal e As System.EventArgs) Handles cmdLogin.Click
        Dim connStr As String = "Data Source=WHITE-DWARF;Initial Catalog=UserDatabase;Integrated Security=True"
        Dim sqlconnet As Data.SqlClient.SqlConnection
        Dim MyComm As Data.SqlClient.SqlCommand

        sqlconnet = New Data.SqlClient.SqlConnection()
        sqlconnet.ConnectionString = connStr
        MyComm = New Data.SqlClient.SqlCommand("", sqlconnet)

        MyComm.CommandType = Data.CommandType.Text

        MyComm.CommandText = "SELECT * FROM Logins WHERE (UserName ='" & txtUserName.Text & "') AND (Password = '" & txtPassword.Text & "') "
        sqlconnet.Open()

        Dim result As Data.SqlClient.SqlDataReader = MyComm.ExecuteReader(Data.CommandBehavior.CloseConnection)


        If result.HasRows = False Then

            lblStatus.Text = "Username and/or Password does not exist!"

        Else

            Session("Username") = txtUserName.Text
            Response.Redirect("success.aspx")
           ------> MyComm.CommandText = "UPDATE Logins SET LastLogin=" & Now & " WHERE (UserName ='" & txtUserName.Text & "') AND (Password = '" & txtPassword.Text & "')"

        End If

        result.Close()

    End Sub
End Class

The text next to the "---->" is what I'm trying to have done back to the database, but not sure if I need to redeclare the whole SQL data connection again just to perform an UPDATE...is there an easier way than redeclaring everything?

[ramesees]

Try putting the following line:

MyComm.ExecuteNonQuery()

to get the Update command to fire.

It is similar to the ExecuteReader command for the Select statement

Dim result As Data.SqlClient.SqlDataReader = MyComm.ExecuteReader(Data.Commandbehavior.CloseConnection)

[ZakO]

Yeah, you need to execute the last query, also the Response.Redirect should come after the query execution.

Off-topic, but please never never do this:

        MyComm.CommandText = "SELECT * FROM Logins WHERE (UserName ='" & txtUserName.Text & "') AND (Password = '" & txtPassword.Text & "') "

Use parameters so you're not open to SQL injection.

[Kami-]

I agree.

- Create parameter driven stored procedures in your SQL database to use within your website

- Sanitise the user inputs with functions

- Put the 'Update' before the redirect ;)

Small Example Below:

Imports System.Web.Security
Imports System.Data.SqlClient
Imports System.Data

Partial Class Controls_LoginDialog
    Inherits System.Web.UI.UserControl

    Dim strTitle As String = String.Empty


    Private Sub btnLogin_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnLogin.Click
        Login(fSanitise(Me.txtUsername.Text), fSanitise(Me.txtPassword.Text))
    End Sub

    Private Sub Login(ByVal userName As String, ByVal passWord As String)

        Dim cnnSecurity As New SqlConnection(System.Configuration.ConfigurationManager.AppSettings.Item("connection_security       Dim cmdSelect As New SqlCommand("usp_mySite_Login", cnnSecurity)
        Dim Authd As Boolean
        Dim MySettings As UserSettings = Nothing

        With cmdSelect
            .CommandType = CommandType.StoredProcedure
            .Parameters.Add(New SqlParameter("@Username", SqlDbType.VarChar)).Value = userName
            .Parameters.Add(New SqlParameter("@Password", SqlDbType.VarChar)).Value = passWord

            Try
                .Connection.Open()

                Dim drUser As SqlDataReader = .ExecuteReader(CommandBehavior.CloseConnection)

                If drUser.Read Then

                    FormsAuthentication.SetAuthCookie(userName, False)

                    Session.Add("LastUnloadedthing) 'session variable for auto-logout
                    MySettings = New UserSettings(Convert.ToString(drUser.Item("Username_
                                                  Convert.ToString(drUser.Item("Surname_
                                                  Convert.ToString(drUser.Item("Firstname_
                                                  Convert.ToString(drUser.Item("Email
                    'Session.Add("usersettingsSettings)
                    UserSettings.storeSettings(MySettings)

                    Authd = True

                    Session.Timeout = MySettings.SessionTimeout

                    drUser.Close()
                Else
                    Me.vldCustPassword.IsValid = False
                    Me.vldCustPassword.ErrorMessage = "Incorrect User/Password Combination Provided"
                End If

            Catch ex As Exception
                Me.vldCustPassword.IsValid = False
                Me.vldCustPassword.ErrorMessage = "Serious Error Has Occured - Please Contact WebAdmin"
                Throw
            Finally
                If Not .Connection.State = ConnectionState.Closed Then .Connection.Close()
            End Try
        End With

        If Authd And (Not MySettings Is Nothing) Then

            If Request.QueryString.Item("ReturnUrl Nothing Then
                Response.Redirect(MySettings.DefaultUrl)
            Else
                Response.Redirect(Request.QueryString.Item("ReturnUrl           End If


        End If
    End Sub

End Class