Difference between revisions of "Create register for ASP.Net Web App"
(→Adding the code to handle the form) |
|||
| (11 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | ==Creating the Page== | ||
| + | Add a new Razor Page and call it `register`. | ||
| + | |||
| + | Now add the following HTML form: | ||
| + | <syntaxhighlight lang=html> | ||
| + | <h1 class="display-4">Register</h1> | ||
| + | <form method="post"> | ||
| + | Username: <input type="text" name="user" /> | ||
| + | Email: <input type="text" name="email" /> | ||
| + | Password: <input type="text" name="pass1"/> | ||
| + | Confirm: <input type="text" name="pass2" /> | ||
| + | <input type="submit" /> | ||
| + | </form> | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ==Adding the code to handle the form== | ||
| + | The code below initially gets the data from the form and stores it in some local variables. My `User` table essentially has an additional field called `status`. This is so we can approve users or have users with different access ability. Status of 0 could be unverified. The code below will also check that password and the confirm password are equal, it should go in your PageModel: | ||
<syntaxhighlight lang=c#> | <syntaxhighlight lang=c#> | ||
| − | public | + | public LocalRedirectResult OnPost() |
{ | { | ||
string username = Request.Form["user"]; | string username = Request.Form["user"]; | ||
| − | string pass1 = Request.Form[" | + | string email = Request.Form["email"]; |
| − | string pass2 = Request.Form[" | + | string pass1 = Request.Form["pass1"]; |
| + | string pass2 = Request.Form["pass2"]; | ||
int status = 0; | int status = 0; | ||
| Line 13: | Line 31: | ||
connection.Open(); | connection.Open(); | ||
| − | string sql = "insert into test values(@p1, @p2, @p3);"; | + | string sql = "insert into test values(@p1, @p2, @p3, @p4);"; |
using var Command = new MySqlCommand(sql, connection); | using var Command = new MySqlCommand(sql, connection); | ||
Command.Parameters.AddWithValue("@p1", username); | Command.Parameters.AddWithValue("@p1", username); | ||
Command.Parameters.AddWithValue("@p2", pass1); | Command.Parameters.AddWithValue("@p2", pass1); | ||
| − | Command.Parameters.AddWithValue("@p3", status); | + | Command.Parameters.AddWithValue("@p3", email); |
| + | Command.Parameters.AddWithValue("@p4", status); | ||
Command.ExecuteNonQuery(); | Command.ExecuteNonQuery(); | ||
connection.Close(); | connection.Close(); | ||
| + | |||
| + | return LocalRedirect("/login"); | ||
| + | } | ||
| + | else | ||
| + | { | ||
| + | message = "Account not created."; | ||
} | } | ||
| + | return LocalRedirect("/register"); | ||
| + | } | ||
| + | </syntaxhighlight> | ||
| − | + | The code above uses `parameterised` SQL, add in the parameters in this way will protect from SQL Injection attacks. The data fields taken from the form is treated as a single item and are never treated as SQL. You should also add the code to check if the username, email, and password1 aren't empty. | |
| − | + | ||
| + | ==Storing Passwords== | ||
| + | Passwords should never be stored in a readable format. Instead they should be encrypted or hashed to make them unreadable. In order to use a suitable hashing function you need to include this line in the using section: | ||
| + | <syntaxhighlight lang=c#> | ||
| + | using System.Security.Cryptography; | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | Now, we need to hash the password before we save it (this should go in the if statement which checks if pass1 & pass2 are equal): | ||
| + | Passwords should never be stored in a readable format. Instead they should be encrypted or hashed to make them unreadable. In order to use a suitable hashing function you need to include this line in the using section: | ||
| + | <syntaxhighlight lang=c#> | ||
| + | string hash = ""; | ||
| + | var inputBytes = Encoding.UTF8.GetBytes(pass1); | ||
| + | var inputHash = SHA256.HashData(inputBytes); | ||
| + | hash = Convert.ToHexString(inputHash); | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| + | |||
| + | Now in the SQL Parameters section, make sure the hash is used instead of the password. | ||
| + | |||
| + | ==Adapting your login code== | ||
| + | Now we are hashing the password when the user registers, we need to hash the password when they login as well. | ||
Latest revision as of 16:56, 19 October 2024
Contents
Creating the Page
Add a new Razor Page and call it `register`.
Now add the following HTML form:
<h1 class="display-4">Register</h1>
<form method="post">
Username: <input type="text" name="user" />
Email: <input type="text" name="email" />
Password: <input type="text" name="pass1"/>
Confirm: <input type="text" name="pass2" />
<input type="submit" />
</form>
Adding the code to handle the form
The code below initially gets the data from the form and stores it in some local variables. My `User` table essentially has an additional field called `status`. This is so we can approve users or have users with different access ability. Status of 0 could be unverified. The code below will also check that password and the confirm password are equal, it should go in your PageModel:
public LocalRedirectResult OnPost()
{
string username = Request.Form["user"];
string email = Request.Form["email"];
string pass1 = Request.Form["pass1"];
string pass2 = Request.Form["pass2"];
int status = 0;
if (pass1 == pass2)
{
using var connection = GetConnection;
connection.Open();
string sql = "insert into test values(@p1, @p2, @p3, @p4);";
using var Command = new MySqlCommand(sql, connection);
Command.Parameters.AddWithValue("@p1", username);
Command.Parameters.AddWithValue("@p2", pass1);
Command.Parameters.AddWithValue("@p3", email);
Command.Parameters.AddWithValue("@p4", status);
Command.ExecuteNonQuery();
connection.Close();
return LocalRedirect("/login");
}
else
{
message = "Account not created.";
}
return LocalRedirect("/register");
}
The code above uses `parameterised` SQL, add in the parameters in this way will protect from SQL Injection attacks. The data fields taken from the form is treated as a single item and are never treated as SQL. You should also add the code to check if the username, email, and password1 aren't empty.
Storing Passwords
Passwords should never be stored in a readable format. Instead they should be encrypted or hashed to make them unreadable. In order to use a suitable hashing function you need to include this line in the using section:
using System.Security.Cryptography;
Now, we need to hash the password before we save it (this should go in the if statement which checks if pass1 & pass2 are equal): Passwords should never be stored in a readable format. Instead they should be encrypted or hashed to make them unreadable. In order to use a suitable hashing function you need to include this line in the using section:
string hash = "";
var inputBytes = Encoding.UTF8.GetBytes(pass1);
var inputHash = SHA256.HashData(inputBytes);
hash = Convert.ToHexString(inputHash);
Now in the SQL Parameters section, make sure the hash is used instead of the password.
Adapting your login code
Now we are hashing the password when the user registers, we need to hash the password when they login as well.
