I am truly puzzled by this.
We were giving a spec to build an app that requires users to create their own accounts before using the app.
The spec says that user's email should be validated against the email s/he has on our database.
If that email already exists, inform the user and ask him/her to choose another.
Below is the code that does all that.
//Markup:
<tr>
<td height="27" width="129"><font face="Tahoma" size="2">
<label for="txtEmail">Your Email address:</label></font></td>
<td height="27" width="244">
<asp:TextBox ID="txtEmail" CssClass="Treb10Blue" Runat="server" style="font-family: Trebuchet MS; font-size: 10pt; font-weight: bold; font-style: italic; color: #000080;"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator4" Runat="server" ErrorMessage="*" Display="Dynamic" ControlToValidate="txtEmail"></asp:RequiredFieldValidator>
<asp:RegularExpressionValidator ID="RegularExpressionValidator1" ControlToValidate="txtEmail" ValidationExpression=".*@.*\..*" ErrorMessage="Email not in correct format" Display="Dynamic" Runat="server"></asp:RegularExpressionValidator>
</td>
</tr>
//Then codebehind
Function Fixquotes(ByVal thesqlenemy As String) As String
Fixquotes = Replace(thesqlenemy, "'", "''")
End Function
Sub btnRegister_Onclick(ByVal Src As Object, ByVal e As System.Web.UI.ImageClickEventArgs)
If Page.IsValid Then
Dim objConn As IDbConnection = New SqlConnection(ConfigurationManager.ConnectionStrings("DBConnectionString").ConnectionString)
Dim chkUsername As IDbCommand
Dim addUser As IDbCommand
Dim strSQL1 As String
Dim strSQL2 As String
Dim strUserCount As Integer
'first, check if user already exists
Try
strSQL1 = "SELECT COUNT(*) FROM [tblLogin] WHERE [Email]='" & Fixquotes(txtEmail.Text) & "'"
strSQL2 = "INSERT INTO [tblLogin] ([Fullname], [Email], [Username], [Password],[Rights],[ModifiedDate],Precinct,PositionId,ProcessedFlag)"
strSQL2 = strSQL2 & " VALUES "
strSQL2 = strSQL2 & "('" & Fixquotes(txtFullname.Text) & "', '" & Fixquotes(txtEmail.Text) & "', '" & Fixquotes(txtUsername.Text) & "', '" & Fixquotes(txtPassword.Text) & "',2,getdate(), '" & precinctList.SelectedValue & "'," & PosisitionList.SelectedValue & ",'No')"
'Response.Write(strSQL2)
'Response.End()
objConn.Open()
chkUsername = New SqlCommand(strSQL1, objConn)
strUserCount = chkUsername.ExecuteScalar()
If strUserCount = 0 Then
addUser = New SqlCommand(strSQL2, objConn)
addUser.ExecuteNonQuery()
objConn.Close()
'Display some feedback to the user to let them know it was sent
lblMsg.ForeColor = System.Drawing.Color.Green
lblMsg.Text = "Your account has been successfully created.<br><br>Please click the Close button below to close this window and log in with your newly created username and password."
'Clear the form
txtFullname.Text = ""
txtEmail.Text = ""
Else
lblMsg.Text = "That email address already exists. Please choose another..."
lblMsg.ForeColor = Drawing.Color.Red
End If
Catch
objConn.Close()
End Try
End If
End Sub
So far, out of a total of 1,035 users who have signed up, nine (9) of them have been able to create duplicate accounts using SAME email address.
One of those users did it 5 times!
How is this possible and how do I prevent further occurences?
Thanks a lot in advance