I'm trying to implement a password change feature but it doesn't seem to want to work.
private void button3_Click(object sender, EventArgs e)
{
using (OleDbConnection con = new OleDbConnection(#"Provider = Microsoft.ACE.OLEDB.12.0; Data Source = C:\Users\User\Desktop\esoft\gym\gym\bin\Debug\Clients.accdb"))
{
DataTable dt = new DataTable();
con.Open();
errorProvider1.Clear();
if (dt.Rows[0][0].ToString() == "1")
{
if (textBox3.Text == textBox4.Text)
{
OleDbDataAdapter da = new OleDbDataAdapter(" COUNT (*) FROM login WHERE username= '" + textBox1.Text + "' AND [password]='" + textBox2.Text + "' ", con);
OleDbCommand com = new OleDbCommand("UPDATE login SET [password] = '" + textBox3.Text + "' WHERE username = '" + textBox2.Text + "'", con);
com.ExecuteNonQuery();
MessageBox.Show("password successfully changed", "success!", MessageBoxButtons.OK, MessageBoxIcon.Information);
}
else
{
errorProvider1.SetError(textBox3, "passwords dont match");
errorProvider1.SetError(textBox4, "passwords dont match");
}
}
else
{
errorProvider1.SetError(textBox1, "wrong username");
errorProvider1.SetError(textBox2, "wrong pasword");
}
}
}
there is an error in the line if (dt.Rows[0][0].ToString() == "1") where it states that no data was found at that position, yet there are 5 rows in the data table.
when the code is run without the above line, as in //if (dt.Rows[0][0].ToString() == "1")
the code runs but no data is being updated in the table.
updated code again and still recived the same error:
OleDbDataAdapter da = new OleDbDataAdapter("SELECT * FROM login WHERE username= '" + textBox1.Text + "' AND [password]='" + textBox2.Text + "' ", con);
DataTable dt = new DataTable();
da.Fill(dt);
con.Open();
errorProvider1.Clear();
if (dt.Rows[0][0].ToString() == "1")
Try filling your DataTable as following -
string cmdString = "SELECT * FROM login WHERE username= '" + textBox1.Text + "' AND [password]='" + textBox2.Text + "' ";
OleDbCommand cmd = new OleDbCommand(cmdString,con);
con.Open();
var dr = cmd.ExecuteReader();
DataTable dt = new DataTable();
dt.Load(dr);
con.Close()
Now you should get your data in table, provided that your select query is correct. Make sure you use using blocks on connection and command objects to dispose these when they are out of scope.
you are just declaring data table,not assigning any data
DataTable dt = new DataTable();
thats why when you try to get dt.Rows[0][0].ToString() it gives error
As you can try this:
OleDbDataAdapter custDA = new OleDbDataAdapter();
DataSet custDS = new DataSet();
DataTable custTable = new DataTable("Customers");
custTable.Columns.Add("CustomerID", typeof(String));
custTable.Columns.Add("CompanyName", typeof(String));
custDS.Tables.Add(custTable);
//Use ADO objects from ADO library (msado15.dll) imported
// as.NET library ADODB.dll using TlbImp.exe
ADODB.Connection adoConn = new ADODB.Connection();
ADODB.Recordset adoRS = new ADODB.Recordset();
adoConn.Open("Provider=SQLOLEDB;Data Source=localhost;Initial Catalog=Northwind;Integrated Security=SSPI;", "", "", -1);
adoRS.Open("SELECT CustomerID, CompanyName FROM Customers", adoConn, ADODB.CursorTypeEnum.adOpenForwardOnly, ADODB.LockTypeEnum.adLockReadOnly, 1);
custDA.Fill(custTable, adoRS);
adoRS.Close();
adoConn.Close();
You can follow this reference
As noted by another, you never assign a value to the data table, that is why it is choking. Your query itself, by string concatenation will open you to SQL-Injection. Parameterize it. Finally, for your query, I would query all records for a given user ID, but get the user and password values based on only qualifying the user ID, not the password. This way, if you have more than 1 row returned, it will indicate duplicate user accounts and should get special attention. If it returns NO rows, then no such user. If it returns ONE row, then you can compare to the password entered and if matched, you have your correct user ID to run with.
starting with your
using( OleDbConnection con = ...)
{
// create command first.. Parameterize it. In this case "#" is parameter indicator
// for Access. parmUserName is the parameter name to be applied. I explicitly added
// "parm" in front to ensure differentiation between the parameter and actual column.
var cmd = new OleDbCommand(
#"select password from login where username = #parmUserName", con);
// Now, add the parameter of proper data type. The name of the parameter and it's value
cmd.Parameters.AddWithValue("parmUserName", textBox1.Text);
// create your data adapter now based on the command above
var da = new OleDbDataAdapter(cmd);
// NOW, create your data table object and have data adapter query and fill with rows.
var dt = new DataTable();
da.Fill(dt);
// NOW, check results.
if (dt.Rows.Count == 0)
MessageBox.Show("No such user account");
else if( dt.Rows.Count > 1)
MessageBox.Show("Duplicate user account");
else
{
// valid single record. Do the passwords match?
if (textBox3.Text.Equals(dt.Rows[0]["password"].ToString()))
{
MessageBox.Show("Valid login, allow to continue");
// Now, since it appears you are trying to UPDATE the password for the user,
// build new UPDATE command and parameterize it in a similar fashion
var cmdUpd = new OleDbCommand(
#"update login set password = #parmNewPwd where username = #parmUserName", con);
// Now, add the parameter of proper data type. The name of the parameter and it's value
cmd.Parameters.AddWithValue("parmNewPwd", textBox3.Text);
cmd.Parameters.AddWithValue("parmUserName", textBox1.Text);
if (cmd.ExecuteNonQuery() == 1)
MessageBox.Show("Password updated");
else
MessageBox.Show("Failed updating password");
}
else
MessageBox.Show("Invalid password");
}
}
FINAL NOTE. You should also look into cleaning data especially before building SQL commands. Never concatenate strings where users can manually enter data for SQL-Injection, parameterize them.
Related
i am currently trying to program an application using c# where you make "money" by clicking on a button, i cant find how i can select the money int from the database in the same row as username and password and then write to the same row + 1. i dont know what to try since i cant find anything to try. i wanted to try something with my login code below to do select money from ... but i cant since the variable gets converted into an int to make sure they're in the same row.
MySqlCommand cmd = connection.CreateCommand();
cmd.CommandType = CommandType.Text;
cmd.CommandText = "select * from users where username = '" + usrNameBox.Text + "' and password ='" + pswrdBox.Text + "'";
DataTable dt = new DataTable();
MySqlDataAdapter da = new MySqlDataAdapter(cmd);
da.Fill(dt);
i = Convert.ToInt32(dt.Rows.Count.ToString());
if (i == 0)
{
loginStatus.Text = ("Invalid Username or Password");
}
else
{
menu fm = new menu();
fm.Show();
this.Hide();
}
thanks (im making this for my friends and i, not going out to the real world so im not worried about encrypting anything or whatever.)
Good day
I am working on login page where the user will be able to login if a value is shown in the database table and if it is not shown it will displays for him a change password page.
What I want is, how can I write an if statement to retrieve username and password if that value is exiting or not ?
what I have tried is the following
con.Open();
DataTable dt = new DataTable();
SqlCommand cmd = con.CreateCommand();
cmd.CommandType = CommandType.Text;
cmd.CommandText = ("select count (*) from log_sup where ENTITY_DIVISION_CODE = '" + textBox1.Text + "'and DX_NUMBER = '" + textBox2.Text + "'" );
SqlDataAdapter da = new SqlDataAdapter(cmd);
da.Fill(dt);
cmd.ExecuteNonQuery();
if (dt.Rows[0][0].ToString() == "1" )
{
Form2 f2 = new Form2();
f2.Show();
this.Hide();
}
else
{
MessageBox.Show("THE USERNAME OR PASSWORD IS INVALID. THIS IS YOUR " , MessageBoxButtons.OK);
Form3 F3 = new Form3();
F3.Show();
this.Hide();
}
con.Close();
COUNT() is a scalar function so use cmd.ExecuteScalar(); to get result as an Object. No need to take DataTable and do other complex things.
Following is simple solution. Kindly modify accordingly as its just a help how to use ExecuteScalar.
int result = Convert.ToInt32(cmd.ExecuteScalar());
if(result > 0)
{
//SUCCESS
}
else
{
//FAIL
}
I'm creating a simple web service to authenticate a user.
I have a problem filling the datatable(used to store the results of a select statement) properly, 'dt.rows.count' (dt is the name of the datatable) always returns 0 even if the select statement returns nothing. I've tried clearing the datatable before filling it, and after the if condition as well, but to no avail, I get the same result.
Would really appreciate any advice on how to proceed.
[WebMethod]
public string Authen(string a, string b)
{
var con = new SqlConnection("Data Source=SERVER-SQL;Initial Catalog=DECA-DB;Persist Security Info=True;User ID=sa;Password=*****");
var sda = new SqlDataAdapter("SELECT * FROM Login_Matrix WHERE Username = ' " + a + " ' AND Password = ' " + b + " '", con);
var dt = new DataTable();
con.Open();
dt.Clear();
sda.Fill(dt);
con.Close();
int x = dt.Rows.Count;
//return (x);
if ( x >0)
{
dt.Clear();
return ("In");
}
else
{
dt.Clear();
return ("out");
}
}
}
Adding a space after and before the single quotes makes your query search for inexistant user names and passords (like " Steve ") and it return no records
A quick fix could be
var sda = new SqlDataAdapter(#"SELECT * FROM Login_Matrix
WHERE Username = '" + a + "'
AND Password = '" + b + "'", con);
but this is very dangerous.
This code is vulnerable to Sql Injection attacks.
You should use parameters
var sda = new SqlDataAdapter(#"SELECT * FROM Login_Matrix
WHERE Username = #uname
AND Password = #pwd", con);
sda.SelectCommand.Parameters.Add("#uname", SqlDbType.NVarChar).Value = a;
sda.SelectCommand.Parameters.Add("#pwd", SqlDbType.NVarChar).Value = b;
And on the same line about security, another thing to consider as soon as possible, is that storing plain text password in your database is a really big security risk. You should search how to salt and store an hash of the password
There are other parts of this code to improve.
First you need to have using statements around the disposable objects
like the connection or the command.
Second, there is no need to have a full SqlDataAdapter and a
DataTable to just check if the user exists or not.
So you can rewrite your code as:
string cmdText = #"IF EXISTS(SELECT 1 FROM Login_Matrix
WHERE Username = #uname AND Password = #pwd)
SELECT 1 ELSE SELECT 0";
using(SqlConnection con = new SqlConnection("....."))
using(SqlCommand cmd = new SqlCommand(cmdText, con))
{
con.Open();
int result = (int)cmd.ExecuteScalar();
return ( result == 1 ? "In" : "out");
}
I want that when SqlCommand returns zero result or null, then show alert message. I try but it always giving me
Object reference not set to an instance of an object.
Here is my code
ASPX.CS
public void gettable()
{
string user = Session["name"].ToString();
SqlConnection cnn = new SqlConnection("Data Source=LIFE_WELL;Initial Catalog=db_compiler;Integrated Security=True");
//string db = Session["value"].ToString();
string db = Session["value"].ToString();
SqlCommand cmd3 = new SqlCommand("SELECT Database_id from Create_db WHERE Database_Name='" + db + "'", cnn);
cnn.Open();
string dbid = cmd3.ExecuteScalar().ToString();
SqlCommand cmd4 = new SqlCommand("SELECT DISTINCT (Table_Name) from tbl_field WHERE Database_id=" + dbid + "", cnn);
string tbl_name = cmd4.ExecuteScalar().ToString();
DataTable dt = new DataTable();
SqlDataAdapter da = new SqlDataAdapter(cmd4);
da.Fill(dt);
if (dt.Rows.Count == 0)
{
Response.Write("<Script>alert('" + Server.HtmlEncode("No Tables Found") + "')</Script>");
}
else
{
foreach (DataRow dr in dt.Rows)
{
GridView1.DataSource = dt;
GridView1.DataBind();
cnn.Close();
}
}
}
try this
if (dt == null || dt.Rows.Count <= 0)
{
Response.Write("<Script>alert('No Tables Found')</Script>");
return;
}
also replace your code as
string tbl_name = Convert.ToString(cmd4.ExecuteScalar());
ExecuteScalar only returns one value. You have to make sure your query only returns that value.
use ExecuteReader
gives you a data reader back which will allow you to read all of the columns of the results a row at a time.
An example would be pulling profile information for one or more users.
SELECT * FROM pro WHERE id = '123456'
Here is my suggestions:
Data binding is one thing, display message is another. You should do data boning first, then display any message to users.
Do remember to close DB connection, or it will be a disaster.
I don't think you have to data binding in a loop, just do it one time.
You can refer "registerstartupscript" in MSDN.
I've got a C# project where I'm trying to export the results of a datagrid. Sometimes the data gets quite large, so rather than re-executing the code I want to dump the dataset into a session variable.
This works perfectly in most of my projects. One example from a project where I use this is:
protected void Page_Load(object sender, EventArgs e)
{
SqlConnection sqlconnectionStatus = new SqlConnection(str);
string DDL_Value = Convert.ToString(Request.QueryString["DDL_Val"]);
//Use the ClassTesting class to determine if the dates are real, and fill in today's date if they're blank
string StDt_Value = ClassTesting.checkFields(Request.Form["txtStartDate"], "Date");
string EnDt_Value = ClassTesting.checkFields(Request.Form["txtEndDate"], "Date");
//string StDt_Value = Convert.ToString(Request.QueryString["StDt_Val"]);
//string EnDt_Value = Convert.ToString(Request.QueryString["EnDt_Val"]);
string BTN_Value;
// Because the date is stored as an INT, you have to request the string and then
// convert it to an INT
string StDT_Vals = Request.QueryString["StDt_Val"].ToString();
string EnDT_Vals = Request.QueryString["EnDt_Val"].ToString();
//sqlquery = "Select PROC_NM as 'Agent Name', AdminLevel as Role, Count(Claim_ID) as 'Count of Claims Reviewed', Spare as AgentID ";
//sqlquery = sqlquery + "from ClosedClaims_MERGE CCM ";
sqlquery = "Select PROC_NM as 'Agent Name', AdminLevel as Role, Count(DISTINCT Claim_ID) as 'Count of Claims Reviewed', Spare as AgentID ";
sqlquery = sqlquery + "from (SELECT DISTINCT Spare, SpareFinished, CLAIM_ID FROM ClosedClaims_MERGE ";
sqlquery = sqlquery + "UNION SELECT DISTINCT Spare, SpareFinished, CLAIM_ID FROM tblAuditing) CCM ";
sqlquery = sqlquery + "LEFT JOIN PROC_LIST PL ON CCM.Spare = PL.LOGIN ";
sqlquery = sqlquery + "WHERE CCM.SpareFinished >= '" + StDt_Value + "' AND CCM.SpareFinished <= '" + EnDt_Value + "' ";
sqlquery = sqlquery + "GROUP BY Spare, PROC_NM, AdminLevel ";
sqlquery = sqlquery + "ORDER BY Count(Claim_ID) DESC";
SqlConnection con = new SqlConnection(str);
SqlCommand cmd = new SqlCommand(sqlquery, con);
SqlDataAdapter adapter = new SqlDataAdapter(cmd);
// Fill the DataSet.
DataSet ds = new DataSet();
adapter.Fill(ds, "dsEffVol");
// Add this to a session variable so the datagrid won't get NULLed out on repost
Session["SSEffVol"] = ds;
// Perform the binding.
grdEffVol.Attributes.Add("style", "overflow:auto");
//GridView_WODetails.Attributes.Add("style", "table-layout:fixed");
grdEffVol.AutoGenerateColumns = true;
grdEffVol.DataSource = ds;
grdEffVol.DataBind();
}
I've got a new project where I'm not using SQL strings, but instead I'm pulling data based on SQL Server Stored Procedures. The code block there is:
protected void btnSubmit_OnClick(object sender, EventArgs e)
{
List<ReportData> myReportData = new List<ReportData>();
using (SqlConnection connection1 = new SqlConnection(str2))
{
//Query the Reports table to find the record associated with the selected report
using (SqlCommand cmd = new SqlCommand("SELECT * from RM_tblManagerReports WHERE ReportID = " + cboFilterOption.SelectedValue + "", connection1))
{
connection1.Open();
using (SqlDataReader DT1 = cmd.ExecuteReader())
{
while (DT1.Read())
{
//Read the record into an "array", so you can find the SProc and View names
int MyRptID = Convert.ToInt32(DT1[0]);
string MyRptName = DT1[1].ToString();
string MyRptSproc = DT1[2].ToString();
string MySQLView = DT1[3].ToString();
string MyUseDates = DT1[4].ToString();
//Run the Stored Procedure first
SqlConnection connection2 = new SqlConnection(str2);
SqlCommand cmd2 = new SqlCommand();
cmd2.CommandType = CommandType.StoredProcedure;
cmd2.CommandText = "" + MyRptSproc + "";
cmd2.Connection = connection2;
//Set up the parameters, if they exist
if (MyUseDates != "N")
{
cmd2.Parameters.Add("#StDate", SqlDbType.Date).Value = DateTime.Parse(txtStDate.Value);
cmd2.Parameters.Add("#EnDate", SqlDbType.Date).Value = DateTime.Parse(txtEnDate.Value);
}
else
{
}
try
{
connection2.Open();
GridView_Reports.EmptyDataText = "No Records Found";
SqlDataReader dr = cmd2.ExecuteReader(CommandBehavior.CloseConnection);
Session["SSRptMenu"] = dr;
GridView_Reports.DataSource = dr;
GridView_Reports.DataBind();
// Add this to a session variable so the datagrid won't get NULLed out on repost
GridView_Reports.DataBound += GridView_Reports_RowDataBound;
}
catch (Exception ex)
{
ScriptManager.RegisterStartupScript(btnSubmit, typeof(Button), "Report Menu", "alert('There is no View associated with this report.\\nPlease contact the developers and let them know of this issue.')", true);
Console.WriteLine(ex);
return;
}
finally
{
connection2.Close();
connection2.Dispose();
}
}
}
}
}
}
I'm kind of guessing my way through this, and I'm not sure if I'm reading the data into a dataset properly. The page is shutting down, and I'm pretty sure the problem is in the lines:
SqlDataReader dr = cmd2.ExecuteReader(CommandBehavior.CloseConnection);
Session["SSRptMenu"] = dr;
GridView_Reports.DataSource = dr;
Quite honestly, I've googled SqlDataReader vs SqlDataAdapter and can't really find anything, but I need to fill the session variable in the second example and also have the datagrid populate properly. So, in essence, I need to put the results of a Stored Procedure into a dataset. Can anyone offer suggestions on what I'm doing wrong?
I'm pretty sure most controls don't accept readers in their DataSource property. Plus the majority of readers are forward-only, so although you're trying to store the reader as a session variable, chances are you would only be able to read it once.
Why do you want to use a reader for this when your post seems to indicate that you know you need to use a DataSet? Why not just use an adapter the way you show in your first post? Adapters work fine with commands that use sprocs.
Instead of:
SqlDataReader dr = cmd2.ExecuteReader(CommandBehavior.CloseConnection);
Session["SSRptMenu"] = dr;
GridView_Reports.DataSource = dr;
Just use:
var adapter = new SqlDataAdapter(cmd2);
var ds = new DataSet();
adapter.Fill(ds, "MyTableName");
Session["SSRptMenu"] = ds;
GridView_Reports.DataSource = ds;