Difference between revisions of "Create register for ASP.Net Web App"

Latest revision as of 16:56, 19 October 2024

Creating the Page

Add a new Razor Page and call it `register`.

Now add the following HTML form:

	<h1 class="display-4">Register</h1>
	<form method="post">
		Username: <input type="text" name="user" />
		Email: <input type="text" name="email" />
		Password: <input type="text" name="pass1"/>
		Confirm: <input type="text" name="pass2" />
		<input type="submit" />
	</form>

Adding the code to handle the form

The code below initially gets the data from the form and stores it in some local variables. My `User` table essentially has an additional field called `status`. This is so we can approve users or have users with different access ability. Status of 0 could be unverified. The code below will also check that password and the confirm password are equal, it should go in your PageModel:

public LocalRedirectResult OnPost()
{
	string username = Request.Form["user"];
	string email = Request.Form["email"];
	string pass1 = Request.Form["pass1"];
	string pass2 = Request.Form["pass2"];
	int status = 0;

	if (pass1 == pass2)
	{
		using var connection = GetConnection;

		connection.Open();
		string sql = "insert into test values(@p1, @p2, @p3, @p4);";
		using var Command = new MySqlCommand(sql, connection);
		Command.Parameters.AddWithValue("@p1", username);
		Command.Parameters.AddWithValue("@p2", pass1);
		Command.Parameters.AddWithValue("@p3", email);
		Command.Parameters.AddWithValue("@p4", status);

		Command.ExecuteNonQuery();
		connection.Close();

		return LocalRedirect("/login");
	}		
	else
	{
		message = "Account not created.";
	}
	return LocalRedirect("/register");
}

The code above uses `parameterised` SQL, add in the parameters in this way will protect from SQL Injection attacks. The data fields taken from the form is treated as a single item and are never treated as SQL. You should also add the code to check if the username, email, and password1 aren't empty.

Storing Passwords

Passwords should never be stored in a readable format. Instead they should be encrypted or hashed to make them unreadable. In order to use a suitable hashing function you need to include this line in the using section:

using System.Security.Cryptography;

Now, we need to hash the password before we save it (this should go in the if statement which checks if pass1 & pass2 are equal): Passwords should never be stored in a readable format. Instead they should be encrypted or hashed to make them unreadable. In order to use a suitable hashing function you need to include this line in the using section:

	string hash = "";
	var inputBytes = Encoding.UTF8.GetBytes(pass1);
	var inputHash = SHA256.HashData(inputBytes);
	hash = Convert.ToHexString(inputHash);

Now in the SQL Parameters section, make sure the hash is used instead of the password.

Adapting your login code

Now we are hashing the password when the user registers, we need to hash the password when they login as well.

Difference between revisions of "Create register for ASP.Net Web App"

Latest revision as of 16:56, 19 October 2024

Contents

Creating the Page

Adding the code to handle the form

Storing Passwords

Adapting your login code

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Main Page

AL Paper 1

AL Paper 2

Project

Tools

Changes

@@ Line 4: / Line 4: @@
 Now add the following HTML form:
 <syntaxhighlight lang=html>
+	<h1 class="display-4">Register</h1>
 	<form method="post">
-		Username: <input type="Text" name="user">
+		Username: <input type="text" name="user" />
-		Email: <input type=Email" name="email">
+		Email: <input type="text" name="email" />
-		Password: <input type="Password" name="pass1">
+		Password: <input type="text" name="pass1"/>
-		Confirm:  <input type="Password" name="pass2">
+		Confirm: <input type="text" name="pass2" />
-		<input type="submit">
+		<input type="submit" />
 	</form>
 </syntaxhighlight>
 ==Adding the code to handle the form==
-The code below initially gets the data from the form and stores it in some local variables. My `User` table essentially has an additional field called `status`. This is so we can approve users or have users with different access ability. Status of 0 could be unverified. The code below will also check that password and the confirm password are equal.
+The code below initially gets the data from the form and stores it in some local variables. My `User` table essentially has an additional field called `status`. This is so we can approve users or have users with different access ability. Status of 0 could be unverified. The code below will also check that password and the confirm password are equal, it should go in your PageModel:
 <syntaxhighlight lang=c#>
-public IActionResult OnPost()
+public LocalRedirectResult OnPost()
 {
 	string username = Request.Form["user"];
@@ Line 39: / Line 40: @@
 		Command.ExecuteNonQuery();
 		connection.Close();
+		return LocalRedirect("/login");
+	}
+	else
+	{
+		message = "Account not created.";
 	}
+	return LocalRedirect("/register");
-	return Page();
 }
 </syntaxhighlight>
-The code above uses `parameterised` SQL, add in the parameters in this way will protect from SQL Injection attacks. The data fields taken from the form is treated as a single item and are never treated as SQL.
+The code above uses `parameterised` SQL, add in the parameters in this way will protect from SQL Injection attacks. The data fields taken from the form is treated as a single item and are never treated as SQL. You should also add the code to check if the username, email, and password1 aren't empty.
 ==Storing Passwords==
@@ Line 63: / Line 69: @@
 Now in the SQL Parameters section, make sure the hash is used instead of the password.
+==Adapting your login code==
+Now we are hashing the  password when the user registers, we need to hash the password when they login as well.