I'm working on a C# project and until now I haven't had any difficulties whatsoever, the problem is while coding a simple login form.
Here's the code for it:
MySqlConnection con = new MySqlConnection();
MySqlCommand com = new MySqlCommand();
public LoginForm()
{
InitializeComponent();
con.ConnectionString = #"Data Source=localhost;port=3306;Initial Catalog=databaseName;User id=root;password=''";
}
private void button1_Click(object sender, EventArgs e)
{
con.Open();
com.Connection = con;
com.CommandText = "select * from users";
MySqlDataReader dr = com.ExecuteReader();
if (dr.Read())
{
if (txtBoxUsername.Text.Equals(dr["username"].ToString()) && txtBoxPassword.Text.Equals(dr["password"].ToString()))
{
lblIncorrect.Text = "";
this.Hide();
InjectForm f2 = new InjectForm();
f2.Show();
}
else
{
lblIncorrect.Text = "Incorrect userename or password.";
txtBoxPassword.Text = "";
}
}
con.Close();
}
As you can see, on button click it will open my MySql connection and select everything from the table users. Then check if the username and password entered on the text boxes match with the ones stored on phpMyAdmin.
The problem comes now, if I use the first user, it will sign in correctly and do what it's supposed to do, in the other hand though, if I sign in with my second user, it will throw the "Incorrect username or password." text.
This should all work but it just doesn't.
Any ideas?
For optimal memory consumption and speed up, just fetch the desired record. You will notice a difference in execution speed when the data becomes very large.
change button1_Click to :
private void button1_Click(object sender, EventArgs e)
{
con.Open();
com.Connection = con;
com.CommandText = "select * from users where username = #username and password = #password";
com.Parameters.Add("#username", SqlDbType.VarChar, 50).Value = txtBoxUsername.Text;
com.Parameters.Add("#password", SqlDbType.VarChar, 50).Value = txtBoxPassword.Text;
MySqlDataReader dr = com.ExecuteReader();
if (dr.HasRows)
{
while (dr.Read())
{
lblIncorrect.Text = "";
this.Hide();
InjectForm f2 = new InjectForm();
f2.Show();
break;
}
}
else
{
lblIncorrect.Text = "Incorrect userename or password.";
txtBoxPassword.Text = "";
}
con.Close();
}
Note: use while(dr.Read()) to read all rows to scroll through all rows.
Related
I'm new to c# programming and have a problem retrieving data from database to a label text. Here is the code what I was trying to do.
private void label3_Click_1(object sender, EventArgs e)
{
MySqlConnection con = new MySqlConnection("Server=localhost; Database=car_rental; user=root; Pwd=; SslMode=none");
DataTable dTable = new DataTable();
con.Open();
MySqlDataReader dr = null;
MySqlCommand cmd = new MySqlCommand("Select * from login where username=" + username, con);
dr =cmd.ExecuteReader();
while (dr.Read())
{
label3.Text = (dr["username"].ToString());
}
con.Close();
}
The problem in your code is created by the concatenation of a string (username) to another string (the sql query). This is a well known source of problems, going from syntax errors (the engine is not able to parse correctly the query text) to a much worse problem known as Sql Injection.
The well known solution is to use parameters instead of concatenated strings
private void label3_Click_1(object sender, EventArgs e)
{
using(MySqlConnection con = new MySqlConnection("Server=localhost; Database=car_rental; user=root; Pwd=; SslMode=none"))
{
con.Open();
// A single string with a parameter placeholder
string sqlCmd = "Select * from login where username=#name";
using(MySqlCommand cmd = new MySqlCommand(sqlCmd, con))
{
// Associate a value to the required parameter
cmd.Parameters.Add("#name", MySqlDbType.VarChar).Value = username;
using(MySqlDataReader dr =cmd.ExecuteReader())
{
// Supposing you have just one user with that name
if(dr.Read())
{
label3.Text = dr["username"].ToString();
}
else
{
label3.Text = "User not found!";
}
}
}
}
Notice how I have added the using statement around each disposable object required to query the database. This statement ensures that the objects involved are disposed at the end of their use freeing the valuable unmanaged resource kept during their usage.
I want to check if a username is already in the database. It comes along with my update statement. I have this code and I do not know where to put the select statement:
protected void btn_update_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection(conn);
con.Open();
str = "update UserData set Password=#Password where UserName='" + txtUser.Text + "'";
com = new SqlCommand(str, con);
com.Parameters.Add(new SqlParameter("#Password", SqlDbType.VarChar));
com.Parameters["#Password"].Value = BusinessLayer.ShoppingCart.CreateSHAHash(txtPW.Text);
com.ExecuteNonQuery();
con.Close();
Label1.Visible = true;
Label1.Text = "Password changed Successfully!" ;
con.Close();
}
I want something like
"Select Username from Userdata Where Username = txtUser.Text"
You don't need a SELECT here. ExecuteNonQuery() returns the number of rows affected, which means that when it returns 0, there was no user with the given name in the database. If all went well, it should return 1.
Your code is vulnerable to SQL injection and leaks resources. Here's a better version:
protected void btn_update_Click(object sender, EventArgs e)
{
using(var con = new SqlConnection(conn))
{
con.Open();
var commandTest = "update UserData set Password=#Password where UserName=#Username";
using(var com = new SqlCommand(commandTest, con))
{
com.Parameters.AddWithValue("#Username", txtUser.Text);
com.Parameters.AddWithValue("#Password", BusinessLayer.ShoppingCart.CreateSHAHash(txtPW.Text));
if(com.ExecuteNonQuery() == 1)
{
Label1.Visible = true;
Label1.Text = "Password changed Successfully!" ;
}
}
}
}
I'm trying to make a Windows 8 mobile application web service where the user gets registered, logs in, uploads a picture, etc.
I have created my database with a stored procedure. The registration code is working but I can't make the login work.
Here is the code:
**Webservce**
public string Login(string username, string password)
{
string pwdhash = FormsAuthentication.HashPasswordForStoringInConfigFile(password, "SHA1");
SqlConnection con = new SqlConnection(strcon);
SqlCommand cmd = new SqlCommand();
cmd.Connection = con;
cmd.CommandType = CommandType.StoredProcedure;
cmd.CommandText = "loginProcedure";
SqlParameter param = new SqlParameter("#username", username);
SqlParameter param2 = new SqlParameter("#password", pwdhash);
cmd.Parameters.Add(param);
cmd.Parameters.Add(param2);
con.Open();
SqlDataReader dr = cmd.ExecuteReader();
if (dr.Read())
{
return "ok";
}
else
{
return "no";
}
}
private void button1_Click(object sender, RoutedEventArgs e)
{
SnaprintWebserviceReferance.SnaPrintWebServiceSoapClient obj = new SnaprintWebserviceReferance.SnaPrintWebServiceSoapClient();
obj.LoginCompleted += new EventHandler<SnaprintWebserviceReferance.LoginCompletedEventArgs>(obj_LoginCompleted);
obj.LoginAsync(textBox1.Text, textBox2.Text);
//ServiceReference1.WebService1SoapClient clint = new ServiceReference1.WebService1SoapClient();
//clint.phoneAsync(textBox1.Text, textBox2.Text);
}
private void obj_LoginCompleted(object sender, SnaprintWebserviceReferance.LoginCompletedEventArgs e)
{
label1.Text = e.Result;
}
I have the database updating with the UserName of the person who uploaded a file and am trying to retrieve only the files the current user uploaded, to display in the gridview.
The page displays the current user name and when that person uploads a file everything is fine. Though when that user hits the search button, all records show up and I get the error:
Error:Invalid column name 'test'
protected void ButtonSearch_Click(object sender, EventArgs e)
{
GridView1.Visible = true;
try
{
string UN = Session["New"].ToString();
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
SqlDataReader reader;
SqlCommand command = new SqlCommand();
command.CommandText = "SELECT * FROM UserUpload WHERE UserName = #un";
command.Parameters.Add(new SqlParameter("#un", UN));
command.Connection = conn;
conn.Open();
reader = command.ExecuteReader();
GridView1.DataSource = reader;
GridView1.DataBind();
conn.Close();
}
catch (Exception ex)
{
LabelMessage.Text = ("Error:" + ex.Message);
}
}
Change this line
string UserSearch = "SELECT * FROM UserUpload WHERE UserName =" + UN;
to
string UserSearch = string.Format("SELECT * FROM UserUpload WHERE UserName ='{0}'",UN);
you want to match to username as string strings are being wrapped in '' in SQL
If you would be matching by number it would work fine as numbers do not have this requirement.
UPDATE to UPDATE:
Change to something like this (untested)
SqlCommand com = new SqlCommand(UserSearch, conn);
{ DataSet ds = com.ExecuteReader();
if (ds.Tables.Count > 0)
{
GridView1.DataSource = ds;
GridView1.DataBind();
}
conn.Close();
}
You would benefit from reading this
Use Parameters instead of assinging the Value to the query string
protected void ButtonSearch_Click(object sender, EventArgs e)
{
GridView1.Visible = true;
try
{
string UN = Session["New"].ToString(); ;
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
conn.Open();
string UserSearch = "SELECT * FROM UserUpload WHERE UserName = #un";
SqlCommand com = new SqlCommand(UserSearch, conn);
com.Parameters.Add(new SqlParameter("#un", UN));
com.ExecuteNonQuery();
conn.Close();
}
catch (Exception ex)
{
LabelMessage.Text = ("Error:" + ex.Message);
}
}
I am trying to make a windows Form Application with a login screen,Form3 Will open Form1 if the username and password are correct.
The code is linked to a database
The code is as follows:
private void button1_Click(object sender, EventArgs e)
{
string u_id = textBox1.Text;
string u_pwd = textBox2.Text;
SqlConnection conn = new SqlConnection("Data Source=mmtsql.XXX.XXXXX.ac.uk;Initial Catalog=mmt12-186;User ID=XXXXXX;Password=XXXXXX");
conn.Open();
SqlCommand cmd = conn.CreateCommand();
cmd.CommandText = ("SELECT * FROM UsersData WHERE User = '" + textBox1.Text + "'");
cmd.Parameters.AddWithValue("un", u_id);
SqlDataReader reader = cmd.ExecuteReader();
if (reader.Read() == false)
{
label3.Text = "Invalid Username or Password !";
return;
}
string realpwd = reader.GetString(0);
if (u_pwd == realpwd)
{
Form1 formload = new Form1();
formload.Show();
}
}
Every time I run this code, I get an exception on with the line:
string realpwd = reader.GetString(0);
The exception is:
Invalid attempt to read when no data is present.
The UsersData table has 3 columns, Id, User, Password
Thanks goes to "Alfred Sanz" who answered the question, the problem now is that no error is present but no data is shown, as if the button1_click has no method, the current code is:
private void button1_Click(object sender, EventArgs e)
{
string u_id = textBox1.Text;
string u_pwd = textBox2.Text;
SqlConnection conn = new SqlConnection("Data Source=mmtsql.XX.XXX.ac.uk;Initial Catalog=XXXXXXX ;User ID=XXXX;Password=XXXXX");
conn.Open();
SqlCommand cmd = conn.CreateCommand();
cmd.CommandText = ("SELECT * FROM UsersData WHERE User = #un");
cmd.Parameters.AddWithValue("#un", u_id);
SqlDataReader reader = cmd.ExecuteReader();
while (reader.Read())
if (reader["Password"].ToString() == u_pwd)
{
Form1 formload = new Form1();
formload.Show();
}
else
{
label3.Text = "Invalid Username or Password !";
}
}
you already set the value of USER as '" + textBox1.Text + "'" but you are also setting a value cmd.Parameters.AddWithValue("un", u_id); which really does not exist, change your code into
cmd.CommandText = "SELECT * FROM UsersData WHERE User = #un";
cmd.Parameters.AddWithValue("#un", u_id);
and also you can change the reader part to:
while (reader.Read())
{
if (reader["Password"].ToString() == u_pwd.Text
{
Form1 formload = new Form1();
formload.Show();
}
else
{
label3.Text = "Invalid Username or Password !";
}
}