I want to check the username is already exists in my database table or not?

Question

i have registration page and i want to check that username is already exist in database or not in 3 tier architecture.

MyRegistration.cs:

public static int checkusername(string user_txt)
 {
  int id2 = 0;
  string selectstr = "select * from xyz where UserName = '" + user_txt + " ' ";
  id2 = DataAccessLayer.ExecuteReader(selectstr);
  return id2;    
 }

and the code behind onclick event of textbox:

protected void txt_username_TextChanged(object sender, EventArgs e)
 {
  if (!string.IsNullOrEmpty(txt_username.Text))
   {
    int id = xyz.checkusername(txt_username.Text.Trim());
    if (id > 0)
     {
      lblStatus.Text = "UserName Already Taken";
     }
    else
     {
      lblStatus.Text = "UserName Available";
     }
   } 

 }

DataAccessLayer:

public static int ExecuteReader(string Query)
 {
  SqlConnection con = new SqlConnection();
  con.ConnectionString = GetConnectionString();
  con.Open();
  int id = 0;            
  SqlCommand cmd = new SqlCommand();
  cmd.CommandText = Query;
  cmd.CommandType = System.Data.CommandType.Text;
  cmd.Connection = con;
  SqlDataReader reader = cmd.ExecuteReader();
  while (reader.Read())
   {
    id++;
   }
  cmd = null;
  reader.Close();
  con.Close();
  return id;
 }

Answer 1

I have edited some of your codes try like below... it will help you...

Text change Event :

    protected void txt_username_TextChanged(object sender, EventArgs e)
    {
        if (!string.IsNullOrEmpty(txt_username.Text))
        {
            if (xyz.checkusername(txt_username.Text.Trim()))
            {
                lblStatus.Text = "UserName Already Taken";
            }
            else
            {
                lblStatus.Text = "UserName Available";
            }
        }

    }

Check Username :

    public bool CheckUsername(string user_txt)
    {
        bool Result;
        Result = DataAccessLayer.ExecuteReader(user_txt);
        return Result;
    }

Excute Reader :

    public bool ExecuteReader(string user_txt)
    {
        SqlConnection con = new SqlConnection();
        con.ConnectionString = GetConnectionString();
        con.Open();
        SqlCommand cmd = new SqlCommand("select * from xyz where UserName = @UserID", con);
        SqlParameter param = new SqlParameter();
        param.ParameterName = "@UserID";
        param.Value = user_txt;
        cmd.Parameters.Add(param);
        SqlDataReader reader = cmd.ExecuteReader();
        if (reader.HasRows)
            return true;
        else
            return false;
    }

Answer 2

Usually if the "select query" doesn't find a userName with the parameter user_txt you'll id2 will be end up with the value -1. So the appropriate code would be:

           if (id ==-1)
               {
                   lblStatus.Text = "UserName Available";
               }
           if (id>0)
               {

                   lblStatus.Text = "UserName Already Taken";
               }

By the way, your code is highly insecure and your database can be easily attacked using SQL Injection I'd recommend you to understand this issue and add parameters to the query to prevent it. C# has its ways to implement this. Don't try to fix the access to the database, just start from scrath keeping in mind SQL Injection.

Answer 3

As others have mentioned, this approach has potentially serious security issues.

However, your problem may lie here user_txt + " ' ". The spaces around the second ', specifically the one before it may lead to the usernames not matching as expected.