I have created a simple program with log in form. It works in a very simple way but I observed that when logging in, it is not case sensitive. For example if my username is Test and I would log in using test it would still be accepted.
SqlConnection connect = new SqlConnection("Data Source=LAFAYETTE-PC;Initial Catalog=Thesis;Integrated Security=True");
connect.Open();
SqlCommand command = new SqlCommand("SELECT * FROM AdminCredentials WHERE Username = '" + LogInUsername.Text + "' AND Password = '" + LogInPassword.Text + "' ", connect);
SqlDataReader reader;
reader = command.ExecuteReader();
int count = 0;
while (reader.Read())
{
count += 1;
}
if (count == 1)
{
MessageBox.Show("Successfully Logged In!");
MainForm form2 = new MainForm();
form2.ShowDialog();
}
else if (count > 0)
{
MessageBox.Show("Incorrect username and passsword");
}
else
{
MessageBox.Show("Username or password is incorrect");
}
any ideas? Help would be greatly appreciated!
append " COLLATE Latin1_GENERAL_CS_AS" to your query
new SqlCommand("SELECT * FROM AdminCredentials WHERE Username = '" + LogInUsername.Text + "' AND Password = '" + LogInPassword.Text + "' COLLATE Latin1_GENERAL_CS_AS"
and read about Sql Injection...
Related
Student in Computer Science here. Just wanted to ask how to solve this problem with my log in form for my project.
con.Open();
string login = "SELECT * FROM Tble_Users WHERE username= '" + txtUser.Text + "'and password= '" + txtPass.Text + "'";
cmd = new OleDbCommand(login,con);
OleDbDataReader dr = cmd.ExecuteReader();
if (dr.Read() == true)
{
new Welcome().Show();
this.Hide();
}
else
{
MessageBox.Show("Unkown Credentials");
}
I tried using an existing account I created via Microsoft access but the code cant read it
I am trying to create a login page but but my Login button does not work. I am selecting username and password from my sql server database.
Unfortunately, I get an error
System.Data.SqlClient.SqlException: Incorrect syntax near ''
on line 27:
int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
Code below:
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["connect"].ConnectionString);
con.Open();
string checkuser = "select * from tb_Login where Username='" + txtUsername.Text + "' and Password='" + txtPassword.Text + "' ";
SqlCommand com = new SqlCommand(checkuser, con);
int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
con.Close();
if (temp == 1)
{
con.Open();
string checkPass = "select Password from tb_Login where Username='" + txtUsername.Text + "'";
SqlCommand passCom = new SqlCommand(checkPass, con);
string password = passCom.ExecuteScalar().ToString().Replace(" ", "");
if (password == txtPassword.Text)
{
Session["New"] = txtUsername.Text;
Response.Write("Correct");
}
else
{
Response.Write("Not Correct");
}
}
else
{
Response.Write("Username not correct");
}
This line of code:
string checkuser = "select * from tb_Login where Username='" + txtUsername.Text + "' and Password='" + txtPassword.Text + "' ";
Is sending a query to the database and asking: "Give me all the columns from tb_Login whose UserName is the value in the txtUsername box and the Password is in the txtPassword box."
Then this line will take the value of the first column of the first row and try to convert it to an integer and if it cannot it will fail:
int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
Change your query to select one column only: the column you need.
Also make sure you read this question on Stack Overflow so you can see how your code is a security threat to your own application.
Here is my button command for save.
need help in getting this to work, will be getting this to defend for tomorrow school project.
Thanks!
Its for Datagridview, access, c#.
I use 2010VS and MS Access 2007.
private void save_Click(object sender, EventArgs e)
{
if (adminyes.Checked == true || adminno.Checked == true && textBox1.Text != null && textBox2.Text != null && textBox3.Text != null)
{
admin = "Yes";
if (mode == "a")
{
x = 0;
connect.Close();
connect.ConnectionString = inventorydb;
connect.Open();
sqlcommand.CommandText = "SELECT * FROM Users WHERE Username ='" +textBox2.Text+ "' Or User_ID ='" +textBox1.Text+ "' ";
sqlcommand.Connection = connect;
OleDbDataReader reader = sqlcommand.ExecuteReader();
while (reader.Read())
{
x++;
}
if (x != 0)
{
MessageBox.Show("", "",MessageBoxButtons.OK);
}
else
{
DialogResult res = MessageBox.Show("Are you sure?", "Save User", MessageBoxButtons.YesNo, MessageBoxIcon.Warning);
if (DialogResult.Yes == res)
{
connect.Close();
connect.ConnectionString = inventorydb;
connect.Open();
sqlcommand.CommandText = "INSERT INTO Users (User_ID, Username, Password, Admin) VALUES ('" + textBox1.Text + "','" + textBox2.Text + "', '" + textBox3.Text + "', '" + admin + "') ";
sqlcommand.Connection = connect;
reader = sqlcommand.ExecuteReader();
MessageBox.Show("Record(s) Saved", "Sample");
}
reset();
}
}
else if (mode == "e")
{
DialogResult res = MessageBox.Show("Are you sure?", "Update User", MessageBoxButtons.YesNo, MessageBoxIcon.Warning);
if (DialogResult.Yes == res)
{
connect.Close();
connect.ConnectionString = inventorydb;
connect.Open();
sqlcommand.CommandText = "UPDATE Users SET User_ID = '" + textBox1.Text + "', Username = '" + textBox2.Text + "', Password = '" + textBox3.Text + "',Admin = '" + admin + "' WHERE SerialID = '" + idholder + "' ";
sqlcommand.Connection = connect;
OleDbDataReader reader = sqlcommand.ExecuteReader();
reader.Read();
MessageBox.Show("Record(s) Updated", "Sample");
}
reset();
}
}
else
{
MessageBox.Show("", "", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
Password is a reserved word in Access. Change it to [Password] in your SQL queries. You should wrap all columns and tables like this.
Although this is just a school project I'll mention a few things:
Your code is vulnerable to SQL injection. Here's how to fix this for your insert method as an example:
sqlcommand.CommandText = "INSERT INTO [Users] ([User_ID], [Username], [Password], [Admin]) VALUES (#user_id, #username, #password, #admin)";
sqlcommand.Connection = connect;
sqlcommand.Parameters.AddWithValue("#user_id", textBox1.Text);
sqlcommand.Parameters.AddWithValue("#username", textBox2.Text);
sqlcommand.Parameters.AddWithValue("#password", textBox3.Text);
sqlcommand.Parameters.AddWithValue("#admin", admin);
reader = sqlcommand.ExecuteReader();
Also passwords shouldn't be stored in plain text. Look into password hashing and salting and how to approach it properly for more information.
i've been working with C# Application and i want to create login page for it
but i face a problem with this code , it seemed to be not working
private void button1_Click(object sender, EventArgs e)
{
SqlDataReader sdr;
string query = "select * from User where User_Name = '" + textBox1.Text + "'and User_Password = '" + this.textBox2.Text + "'";
SqlConnection connectpassword = new SqlConnection(#"Data Source=AHMEDIBRAHIM\SQLEXPRESS;Initial Catalog=Payment;Integrated Security=True");
connectpassword.Open();
SqlCommand logincomand = new SqlCommand( query, connectpassword);
logincomand.Parameters.Add(#"n", SqlDbType.Text).Value = textBox1.Text;
logincomand.Parameters.Add(#"p", SqlDbType.Int).Value = textBox2.Text;
sdr = logincomand.ExecuteReader();
int i = 0;
while (sdr.Read()){
i = i + 1;
}
if (i == 1) {
MessageBox.Show("User Name and Password incroect ");
}
else if (i > 1)
{
MessageBox.Show("Duplicate username and password", "login page");
}
else
{
MessageBox.Show(" username and password incorrect", "login page");
}
Once i rung it ! .. i get this Incorrect syntax near the keyword 'User'.
This is likely having issues because "User" is a keyword in Sql Server. You can fix it by changing it to:
string query = "select * from [User] where User_Name = '" + textBox1.Text + "'and User_Password = '" + this.textBox2.Text + "'";
when open the login page it just displays user name is incorrect it seems to be bypassing the code.
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["regConnectionString"].ConnectionString);
conn.Open();
string checkuser = "select count(*) from users where username='" + usernametxt.Text + "'";
SqlCommand com = new SqlCommand(checkuser, conn);
int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
conn.Close();
if (temp == 1)
{
conn.Open();
string checkPasswordQuery = "select password from users where username = '" + usernametxt.Text + "'";
SqlCommand passComm = new SqlCommand(checkPasswordQuery, conn);
string password = passComm.ExecuteScalar().ToString().Replace(" ", "");
if(password == passwordtxt.Text)
{
Session["New"]= usernametxt.Text ;
Response.Write("password is correct");
}
else
{
Response.Write("password is not correct");
}
}
else
{
Response.Write("username is not correct");
}
As per your code snippet first option i can suggest is look into users table for username you are passing is exist or has multiple entry, as if (temp == 1) is not satisfied.
first debug your code.