I am trying to pass values from a database table to a couple of labels where the email column matches the email entered.I have passed the email entered from login page to this page using a session.Like This :
protected void btnLogin_Click(object sender, EventArgs e)
{
if (AuthenticateUser(txtEmail.Text, txtPassword.Text))
{
FormsAuthentication.RedirectFromLoginPage(txtEmail.Text, chkBoxRememberMe.Checked);
Session["Email"] = txtEmail.Text;
Response.Redirect("~/Account.aspx");
}
then i am passing the session value to lblEmail on ACOUNTS page.and then i am trying to retrieve values ‘Name’ and ‘Balance’ from database tabel where Emails match the one in the table.Like This:
protected void Page_Load(object sender, EventArgs e)
{
lblEmail.Text = Session["Email"].ToString();
string CS = ConfigurationManager.ConnectionStrings["ABCD"].ConnectionString;
using (SqlConnection con = new SqlConnection(CS))
{
SqlCommand cmd = new SqlCommand("Select * from tblRegister where @Email = " + lblEmail.Text, con);
con.Open();
SqlDataReader rdr = cmd.ExecuteReader();
rdr.Read();
lblName.Text = rdr["Name"].ToString();
lblBalance.Text = rdr["Balance"].ToString();
}
But i get a error message stating ‘must declare the scalar vraiable @Email’ on the line below:
SqlDataReader rdr = cmd.ExecuteReader();
What am i doing wrong?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Try like this instead
SqlCommand cmd = new SqlCommand("Select * from tblRegister where Email = @Email", con);
cmd.Parameters.AddWithValue("@Email", lblEmail.Text);
SqlDataReader rdr = cmd.ExecuteReader();
//...
Method 2
@Email indicates a variable, not a field name. If the field name in your table is @Email enclose it in square brackets… [@Email] but I would guess that the field name is Email.
Edit:
You also have an issue with the where statement, if you are sending text you need to enclose that in quotes:
SqlCommand cmd = new SqlCommand("Select * from tblRegister where Email = '" + lblEmail.Text + "'", con);
This type of query, simply passing a value entered by the user will open you up to SQL injection.
Method 3
You are using the Email param in the wrong place.
Try using this instead:
SqlCommand cmd = new SqlCommand("Select * from tblRegister where Email = @Email", con);
cmd.Parameters.AddWithValue("@Email", lblEmail.Text);
Method 4
Other answers have already answered your initial problem regarding @Email.
Here is what I found
Since you are using FormsAuthentication, you should not save Email in Session state. (Normally, FormsAuthentication uses username, but email address is ok since you are retrieving user information by email address.)
It defeats the purpose of using FormsAuthentication, because it already saves the Email in FormsAuthenticationTicket.
protected void btnLogin_Click(object sender, EventArgs e)
{
if (AuthenticateUser(txtEmail.Text, txtPassword.Text))
{
// Thus all you need
FormsAuthentication.RedirectFromLoginPage(username, true);
}
}
Global.asax.cs
You need this in order to retrieve the Email from cookie, and save the email in IPrincipal Object.
public class Global : HttpApplication
{
private void Application_AuthenticateRequest(object sender, EventArgs e)
{
HttpCookie decryptedCookie =
Context.Request.Cookies[FormsAuthentication.FormsCookieName];
FormsAuthenticationTicket ticket =
FormsAuthentication.Decrypt(decryptedCookie.Value);
var identity = new GenericIdentity(ticket.Name);
var principal = new GenericPrincipal(identity, null);
HttpContext.Current.User = principal;
Thread.CurrentPrincipal = HttpContext.Current.User;
}
}
Usage
protected void Page_Load(object sender, EventArgs e)
{
var email = User.Identity.Name;
}
More information here.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0