Student in Computer Science here. Just wanted to ask how to solve this problem with my log in form for my project.
con.Open();
string login = "SELECT * FROM Tble_Users WHERE username= '" + txtUser.Text + "'and password= '" + txtPass.Text + "'";
cmd = new OleDbCommand(login,con);
OleDbDataReader dr = cmd.ExecuteReader();
if (dr.Read() == true)
{
new Welcome().Show();
this.Hide();
}
else
{
MessageBox.Show("Unkown Credentials");
}
I tried using an existing account I created via Microsoft access but the code cant read it
Related
I am trying to create a login page but but my Login button does not work. I am selecting username and password from my sql server database.
Unfortunately, I get an error
System.Data.SqlClient.SqlException: Incorrect syntax near ''
on line 27:
int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
Code below:
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["connect"].ConnectionString);
con.Open();
string checkuser = "select * from tb_Login where Username='" + txtUsername.Text + "' and Password='" + txtPassword.Text + "' ";
SqlCommand com = new SqlCommand(checkuser, con);
int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
con.Close();
if (temp == 1)
{
con.Open();
string checkPass = "select Password from tb_Login where Username='" + txtUsername.Text + "'";
SqlCommand passCom = new SqlCommand(checkPass, con);
string password = passCom.ExecuteScalar().ToString().Replace(" ", "");
if (password == txtPassword.Text)
{
Session["New"] = txtUsername.Text;
Response.Write("Correct");
}
else
{
Response.Write("Not Correct");
}
}
else
{
Response.Write("Username not correct");
}
This line of code:
string checkuser = "select * from tb_Login where Username='" + txtUsername.Text + "' and Password='" + txtPassword.Text + "' ";
Is sending a query to the database and asking: "Give me all the columns from tb_Login whose UserName is the value in the txtUsername box and the Password is in the txtPassword box."
Then this line will take the value of the first column of the first row and try to convert it to an integer and if it cannot it will fail:
int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
Change your query to select one column only: the column you need.
Also make sure you read this question on Stack Overflow so you can see how your code is a security threat to your own application.
I am developing a database application in C#.NET and SQL Server 2012.
Some of my SQL statements are not working properly . When I execute the code it does not give any error. But when I try to delete something or Update a record, I does not do that. The code lies below:
public void updateFinalTable()
{
DialogResult result = MessageBox.Show("Please make sure no fields are empty or they will get changed. \n\t\t Do you want to continue?",
"Important Note",
MessageBoxButtons.YesNo);
if (result == DialogResult.Yes)
{
try
{
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["ConString"].ConnectionString);
con.Open();
SqlCommand cmd = new SqlCommand("UPDATE fianlTable SET AccountNumber='" + textBox1.Text + "', Date='" + dateTimePicker1.Value.ToString("MM/dd/yyyy") + "', CustomerName='" + textBox3.Text + "' , Debit='" + txtDebit.Text + "', Credit='" + txtCredit.Text + "', Balance='" + txtBalance.Text + "' WHERE Id LIKE '" + textBox4.Text + "' ", con);
cmd.ExecuteNonQuery();
this.fianlTableBindingSource.AddNew();
DataTable dt = new DataTable();
SqlDataAdapter sda = new SqlDataAdapter("select * from fianlTable WHERE (UserName LIKE '" + LoginSession.UserID + "')", con);
sda.Fill(dt);
dataGridView1.DataSource = dt;
refresh();
con.Close();
MessageBox.Show("Record Updated Successfully!");
catch (Exception)
{
MessageBox.Show("Record Could Not be updated...! ");
}
}
}
Similar is the case with delete operation . Both codes give no error but inside the database no change is observed.
You have used Like in your where condition instead of =. So your code should be like this -
SqlCommand cmd = new SqlCommand("UPDATE fianlTable SET AccountNumber='" + textBox1.Text + "', Date='" +
dateTimePicker1.Value.ToString("MM/dd/yyyy") + "', CustomerName='" +
textBox3.Text + "' , Debit='" + txtDebit.Text + "', Credit='" +
txtCredit.Text + "', Balance='" + txtBalance.Text +
"' WHERE Id = '" + textBox4.Text + "' ", con);
ATTENTION This type of query potentially lead to SQL Injection. You better go with parametrized queries, like this -
string qry = = "UPDATE fianlTable SET AccountNumber = #accnt, CustomerName = #cname Where ID = #id)";
SqlCommand cmd = new SqlCommand(qry, con);
cmd.Parameters.AddWithValue("#accnt", textBox1.Text);
cmd.Parameters.AddWithValue("#cname", textBox3.Text);
cmd.Parameters.AddWithValue("#id", textBox4.Text);
cmd.ExecuteNonQuery();
I have created a simple program with log in form. It works in a very simple way but I observed that when logging in, it is not case sensitive. For example if my username is Test and I would log in using test it would still be accepted.
SqlConnection connect = new SqlConnection("Data Source=LAFAYETTE-PC;Initial Catalog=Thesis;Integrated Security=True");
connect.Open();
SqlCommand command = new SqlCommand("SELECT * FROM AdminCredentials WHERE Username = '" + LogInUsername.Text + "' AND Password = '" + LogInPassword.Text + "' ", connect);
SqlDataReader reader;
reader = command.ExecuteReader();
int count = 0;
while (reader.Read())
{
count += 1;
}
if (count == 1)
{
MessageBox.Show("Successfully Logged In!");
MainForm form2 = new MainForm();
form2.ShowDialog();
}
else if (count > 0)
{
MessageBox.Show("Incorrect username and passsword");
}
else
{
MessageBox.Show("Username or password is incorrect");
}
any ideas? Help would be greatly appreciated!
append " COLLATE Latin1_GENERAL_CS_AS" to your query
new SqlCommand("SELECT * FROM AdminCredentials WHERE Username = '" + LogInUsername.Text + "' AND Password = '" + LogInPassword.Text + "' COLLATE Latin1_GENERAL_CS_AS"
and read about Sql Injection...
i've been working with C# Application and i want to create login page for it
but i face a problem with this code , it seemed to be not working
private void button1_Click(object sender, EventArgs e)
{
SqlDataReader sdr;
string query = "select * from User where User_Name = '" + textBox1.Text + "'and User_Password = '" + this.textBox2.Text + "'";
SqlConnection connectpassword = new SqlConnection(#"Data Source=AHMEDIBRAHIM\SQLEXPRESS;Initial Catalog=Payment;Integrated Security=True");
connectpassword.Open();
SqlCommand logincomand = new SqlCommand( query, connectpassword);
logincomand.Parameters.Add(#"n", SqlDbType.Text).Value = textBox1.Text;
logincomand.Parameters.Add(#"p", SqlDbType.Int).Value = textBox2.Text;
sdr = logincomand.ExecuteReader();
int i = 0;
while (sdr.Read()){
i = i + 1;
}
if (i == 1) {
MessageBox.Show("User Name and Password incroect ");
}
else if (i > 1)
{
MessageBox.Show("Duplicate username and password", "login page");
}
else
{
MessageBox.Show(" username and password incorrect", "login page");
}
Once i rung it ! .. i get this Incorrect syntax near the keyword 'User'.
This is likely having issues because "User" is a keyword in Sql Server. You can fix it by changing it to:
string query = "select * from [User] where User_Name = '" + textBox1.Text + "'and User_Password = '" + this.textBox2.Text + "'";
{
SqlConnection conn = new SqlConnection(global::Database_test.Properties.Settings.Default.Database1ConnectionString);
SqlCommand cmd = new SqlCommand("Select * from Login where username='" + textBox5.Text + "' and Password = '" + textBox6.Text + "'conn");
cmd.Connection = conn;
conn.Open();
SqlDataReader re = cmd.ExecuteReader();
if (re.Read())
{
MessageBox.Show("Login Sucessful");
}
else
{
MessageBox.Show("Login Failed");
}
}
change this:
SqlCommand cmd = new SqlCommand("Select * from Login where username='" + textBox5.Text + "' and Password = '" + textBox6.Text + "'conn");
to this:
SqlCommand cmd = new SqlCommand("Select * from Login where username='" + textBox5.Text + "' and Password = '" + textBox6.Text + "'", conn);
Before any suggestion you may send us your InnerException description or you may need to provide more information, as this exception is general one. However following are some tips that I suggest you to take look at:
Take care of "conn" at the end of teh following line:
SqlCommand cmd = new SqlCommand("Select * from Login where username='" + textBox5.Text + "' and Password = '" + textBox6.Text + "'conn");
"conn" should be passed as SqlCommand's second parameter:
SqlCommand cmd = new SqlCommand("Select * from Login where username='" + textBox5.Text + "' and Password = '" + textBox6.Text + "'",conn);
2.Take care of using onn.Open(); expression. I always put it in following block:
if(conn.State != ConnectionState.Open)
conn.Open();
find more about ConnectionState enumeration here