Difference between revisions of "Create register for ASP.Net Web App"

From TRCCompSci - AQA Computer Science
Jump to: navigation, search
(Adding the code to handle the form)
(Adding the code to handle the form)
 
(7 intermediate revisions by the same user not shown)
Line 4: Line 4:
 
Now add the following HTML form:
 
Now add the following HTML form:
 
<syntaxhighlight lang=html>
 
<syntaxhighlight lang=html>
 +
<h1 class="display-4">Register</h1>
 
<form method="post">
 
<form method="post">
Username: <input type="Text" name="user">
+
Username: <input type="text" name="user" />
Password: <input type="Password" name="pass1">
+
Email: <input type="text" name="email" />
Confirm: <input type="Password" name="pass2">
+
Password: <input type="text" name="pass1"/>
<input type="submit">
+
Confirm: <input type="text" name="pass2" />
 +
<input type="submit" />
 
</form>
 
</form>
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 
==Adding the code to handle the form==
 
==Adding the code to handle the form==
The code below initially gets the data from the form and stores it in some local variables. My `User` table essentially has an additional field called `status`. This is so we can approve users or have users with different access ability. Status of 0 could be unverified. The code below will also check that password and the confirm password are equal.
+
The code below initially gets the data from the form and stores it in some local variables. My `User` table essentially has an additional field called `status`. This is so we can approve users or have users with different access ability. Status of 0 could be unverified. The code below will also check that password and the confirm password are equal, it should go in your PageModel:
  
 
<syntaxhighlight lang=c#>
 
<syntaxhighlight lang=c#>
public IActionResult OnPost()
+
public LocalRedirectResult OnPost()
 
{
 
{
 
string username = Request.Form["user"];
 
string username = Request.Form["user"];
Line 38: Line 40:
 
Command.ExecuteNonQuery();
 
Command.ExecuteNonQuery();
 
connection.Close();
 
connection.Close();
 +
 +
return LocalRedirect("/login");
 +
}
 +
else
 +
{
 +
message = "Account not created.";
 
}
 
}
 +
return LocalRedirect("/register");
 +
}
 +
</syntaxhighlight>
  
return Page();
+
The code above uses `parameterised` SQL, add in the parameters in this way will protect from SQL Injection attacks. The data fields taken from the form is treated as a single item and are never treated as SQL. You should also add the code to check if the username, email, and password1 aren't empty.
}
+
 
 +
==Storing Passwords==
 +
Passwords should never be stored in a readable format. Instead they should be encrypted or hashed to make them unreadable. In order to use a suitable hashing function you need to include this line in the using section:
 +
<syntaxhighlight lang=c#>
 +
using System.Security.Cryptography;
 +
</syntaxhighlight>
 +
 
 +
Now, we need to hash the password before we save it (this should go in the if statement which checks if pass1 & pass2 are equal):
 +
Passwords should never be stored in a readable format. Instead they should be encrypted or hashed to make them unreadable. In order to use a suitable hashing function you need to include this line in the using section:
 +
<syntaxhighlight lang=c#>
 +
string hash = "";
 +
var inputBytes = Encoding.UTF8.GetBytes(pass1);
 +
var inputHash = SHA256.HashData(inputBytes);
 +
hash = Convert.ToHexString(inputHash);
 
</syntaxhighlight>
 
</syntaxhighlight>
  
The code above uses `parameterised` SQL, add in the parameters in this way will protect from SQL Injection attacks. The data fields taken from the form is treated as a single item and are never treated as SQL.
+
Now in the SQL Parameters section, make sure the hash is used instead of the password.
 +
 
 +
==Adapting your login code==
 +
Now we are hashing the  password when the user registers, we need to hash the password when they login as well.

Latest revision as of 16:56, 19 October 2024

Creating the Page

Add a new Razor Page and call it `register`.

Now add the following HTML form:

	<h1 class="display-4">Register</h1>
	<form method="post">
		Username: <input type="text" name="user" />
		Email: <input type="text" name="email" />
		Password: <input type="text" name="pass1"/>
		Confirm: <input type="text" name="pass2" />
		<input type="submit" />
	</form>

Adding the code to handle the form

The code below initially gets the data from the form and stores it in some local variables. My `User` table essentially has an additional field called `status`. This is so we can approve users or have users with different access ability. Status of 0 could be unverified. The code below will also check that password and the confirm password are equal, it should go in your PageModel:

public LocalRedirectResult OnPost()
{
	string username = Request.Form["user"];
	string email = Request.Form["email"];
	string pass1 = Request.Form["pass1"];
	string pass2 = Request.Form["pass2"];
	int status = 0;

	if (pass1 == pass2)
	{
		using var connection = GetConnection;

		connection.Open();
		string sql = "insert into test values(@p1, @p2, @p3, @p4);";
		using var Command = new MySqlCommand(sql, connection);
		Command.Parameters.AddWithValue("@p1", username);
		Command.Parameters.AddWithValue("@p2", pass1);
		Command.Parameters.AddWithValue("@p3", email);
		Command.Parameters.AddWithValue("@p4", status);

		Command.ExecuteNonQuery();
		connection.Close();

		return LocalRedirect("/login");
	}		
	else
	{
		message = "Account not created.";
	}
	return LocalRedirect("/register");
}

The code above uses `parameterised` SQL, add in the parameters in this way will protect from SQL Injection attacks. The data fields taken from the form is treated as a single item and are never treated as SQL. You should also add the code to check if the username, email, and password1 aren't empty.

Storing Passwords

Passwords should never be stored in a readable format. Instead they should be encrypted or hashed to make them unreadable. In order to use a suitable hashing function you need to include this line in the using section:

using System.Security.Cryptography;

Now, we need to hash the password before we save it (this should go in the if statement which checks if pass1 & pass2 are equal): Passwords should never be stored in a readable format. Instead they should be encrypted or hashed to make them unreadable. In order to use a suitable hashing function you need to include this line in the using section:

	string hash = "";
	var inputBytes = Encoding.UTF8.GetBytes(pass1);
	var inputHash = SHA256.HashData(inputBytes);
	hash = Convert.ToHexString(inputHash);

Now in the SQL Parameters section, make sure the hash is used instead of the password.

Adapting your login code

Now we are hashing the password when the user registers, we need to hash the password when they login as well.