SQLDataSource Insert method not working in CodeBehind .NET C#

Question

I'm writing an ASP web project for a degree module and I have to insert some login details into a login table. It was working fine whilst I had it running as a script in the .aspx file, but I needed to hash the password so, not knowing a way to do it outside the Code Behind file, I moved the SQLDataSource. This is the insert, which doesn't work.

SqlDataSource sqldsInsertPassword = new SqlDataSource();
sqldsInsertPassword.ConnectionString = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
sqldsInsertPassword.ProviderName = ConfigurationManager.ConnectionStrings["ConnectionString"].ProviderName;
sqldsInsertPassword.InsertCommand = "INSERT INTO login (Password, Email) VALUES (@Password, @Email)";
sqldsInsertPassword.InsertCommandType = SqlDataSourceCommandType.Text;
sqldsInsertPassword.InsertParameters.Add("@Email", txtEmail.Text.ToString().ToLower());
sqldsInsertPassword.InsertParameters.Add("@Password", Convert.ToBase64String(getSHA256(txtPassword.Text.ToString())));
sqldsInsertPassword.Insert();

I don't see what's wrong with that, but maybe you can tell from the rest of the class.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Data.Sql;
using System.Web.Security;
using System.Configuration;
using System.Security.Cryptography;
using System.Text;

public partial class _Default : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }

public static byte[] getSHA256(string password)
{
    SHA256CryptoServiceProvider sha = new SHA256CryptoServiceProvider();
    return sha.ComputeHash(System.Text.Encoding.ASCII.GetBytes(password));
}

protected void btnRegister_Click(object sender, EventArgs e)
{//check email, insert user, SQL command get user ID, insert password

    SqlDataReader drExistingUsers = (SqlDataReader)sqldsCheckEmail.Select(DataSourceSelectArguments.Empty);
    drExistingUsers.Read();
    if (drExistingUsers.HasRows == false)
    {
        drExistingUsers.Close();
        bool fault = false;

        try
        {
            sqldsInsertUser.Insert();
        }
        catch (Exception error)
        {
            fault = true;
            lblError.Text = "Error: " + error;
        }

        if (fault == false)
        {
            try
            {
                SqlDataSource sqldsInsertPassword = new SqlDataSource();
                sqldsInsertPassword.ConnectionString = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
                sqldsInsertPassword.ProviderName = ConfigurationManager.ConnectionStrings["ConnectionString"].ProviderName;
                sqldsInsertPassword.InsertCommand = "INSERT INTO login (Password, Email) VALUES (@Password, @Email)";
                sqldsInsertPassword.InsertCommandType = SqlDataSourceCommandType.Text;
                sqldsInsertPassword.InsertParameters.Add("@Email", txtEmail.Text.ToString().ToLower());
                sqldsInsertPassword.InsertParameters.Add("@Password", Convert.ToBase64String(getSHA256(txtPassword.Text.ToString())));
                sqldsInsertPassword.Insert();
            }
            catch (Exception insertError)
            {
                fault = true;                    
                lblError.Text = "Error: " + insertError;
            }

            if (fault == false)
                Response.Redirect("Login.aspx");
        }
    }

    else
        lblError.Text = "Email already exists.";
}

I appreciate there's a lot of namespaces I probably don't need in there, but I will tidy those up later.

Thanks to those who reply!

Answer 1

Okay I fixed it, there's some kind of issue with the formatting of the insert parameters there. Basically, I reformatted my SQLDataSource in the .aspx file to look like so,

<asp:SqlDataSource ID="sqldsInsertPassword" runat="server" 
ConnectionString="<%$ ConnectionStrings:ConnectionString %>" 
DeleteCommand="DELETE FROM [login] WHERE [UserID] = @UserID" 
InsertCommand="INSERT INTO [login] ([Password], [Email]) VALUES (@Password, @Email)" 
SelectCommand="SELECT [UserID], [Password], [Email] FROM [login]" 
UpdateCommand="UPDATE [login] SET [Password] = @Password, [Email] = @Email WHERE [UserID] = @UserID">
<DeleteParameters>
    <asp:Parameter Name="UserID" Type="Int64" />
</DeleteParameters>
<InsertParameters>
    <asp:Parameter Name="Password" Type="String" />
    <asp:Parameter Name="Email" Type="String" />
</InsertParameters>
<UpdateParameters>
    <asp:Parameter Name="Password" Type="String" />
    <asp:Parameter Name="Email" Type="String" />
    <asp:Parameter Name="UserID" Type="Int64" />
</UpdateParameters>

After that, I changed the code in the Code Behind to this;

try
{
    sqldsInsertPassword.InsertParameters["Email"].DefaultValue = txtEmail.Text.ToString().ToLower();
    sqldsInsertPassword.InsertParameters["Password"].DefaultValue = Convert.ToBase64String(getSHA256(txtPassword.Text.ToString()));
    sqldsInsertPassword.Insert();
}

And now it works. I don't know if the old Code Behind method of inserting parameters would've worked as well, but I'm not going to try.

Answer 2

Drop the @ and it will work:

sqldsInsertPassword.InsertParameters.Add("Email", txtEmail.Text.ToString().ToLower());