Difference between revisions of "Create register for ASP.Net Web App"
(→Adding the code to handle the form) |
(→Adding the code to handle the form) |
||
Line 18: | Line 18: | ||
<syntaxhighlight lang=c#> | <syntaxhighlight lang=c#> | ||
− | public | + | public LocalRedirectResult OnPost() |
{ | { | ||
string username = Request.Form["user"]; | string username = Request.Form["user"]; | ||
Line 40: | Line 40: | ||
Command.ExecuteNonQuery(); | Command.ExecuteNonQuery(); | ||
connection.Close(); | connection.Close(); | ||
+ | |||
+ | return LocalRedirect("/login"); | ||
+ | } | ||
+ | else | ||
+ | { | ||
+ | message = "Account not created."; | ||
} | } | ||
− | + | return LocalRedirect("/register"); | |
− | return | ||
} | } | ||
</syntaxhighlight> | </syntaxhighlight> |
Revision as of 16:54, 19 October 2024
Contents
Creating the Page
Add a new Razor Page and call it `register`.
Now add the following HTML form:
<h1 class="display-4">Register</h1>
<form method="post">
Username: <input type="text" name="user" />
Email: <input type="text" name="email" />
Password: <input type="text" name="pass1"/>
Confirm: <input type="text" name="pass2" />
<input type="submit" />
</form>
Adding the code to handle the form
The code below initially gets the data from the form and stores it in some local variables. My `User` table essentially has an additional field called `status`. This is so we can approve users or have users with different access ability. Status of 0 could be unverified. The code below will also check that password and the confirm password are equal.
public LocalRedirectResult OnPost()
{
string username = Request.Form["user"];
string email = Request.Form["email"];
string pass1 = Request.Form["pass1"];
string pass2 = Request.Form["pass2"];
int status = 0;
if (pass1 == pass2)
{
using var connection = GetConnection;
connection.Open();
string sql = "insert into test values(@p1, @p2, @p3, @p4);";
using var Command = new MySqlCommand(sql, connection);
Command.Parameters.AddWithValue("@p1", username);
Command.Parameters.AddWithValue("@p2", pass1);
Command.Parameters.AddWithValue("@p3", email);
Command.Parameters.AddWithValue("@p4", status);
Command.ExecuteNonQuery();
connection.Close();
return LocalRedirect("/login");
}
else
{
message = "Account not created.";
}
return LocalRedirect("/register");
}
The code above uses `parameterised` SQL, add in the parameters in this way will protect from SQL Injection attacks. The data fields taken from the form is treated as a single item and are never treated as SQL. You should also add the code to check if the username, email, and password1 aren't empty.
Storing Passwords
Passwords should never be stored in a readable format. Instead they should be encrypted or hashed to make them unreadable. In order to use a suitable hashing function you need to include this line in the using section:
using System.Security.Cryptography;
Now, we need to hash the password before we save it (this should go in the if statement which checks if pass1 & pass2 are equal): Passwords should never be stored in a readable format. Instead they should be encrypted or hashed to make them unreadable. In order to use a suitable hashing function you need to include this line in the using section:
string hash = "";
var inputBytes = Encoding.UTF8.GetBytes(pass1);
var inputHash = SHA256.HashData(inputBytes);
hash = Convert.ToHexString(inputHash);
Now in the SQL Parameters section, make sure the hash is used instead of the password.
Adapting your login code
Now we are hashing password when the user registers, we need to hash the password when they login as well.