0

i am trying to make a windows form to log into another one, i am using a database with users and passwords the code is as follows:

private void button1_Click(object sender, EventArgs e)
{
    SqlConnection conn = new SqlConnection("Data Source=mmtsql.XXX.XXXX.XX.XX;Initial Catalog=mmtXX-XXX;User ID=mmtXX-XXX;Password=mmtXX-XXX");
    conn.Open();
    SqlCommand mycommand = new SqlCommand("SELECT User, Password FROM UsersData WHERE User = '" + textBox1.Text + "' and Password = '" + textBox2.Text + "'", conn);
    SqlDataReader reader = mycommand.ExecuteReader();
    if(reader != null) 
    {
        if(reader.Read())
        {
            Form1 formload = new Form1();
            formload.Show();
        }
        else
        {
            label3.Text = "Invalid Username or Password !";
        }
    }
    else
    {
        label3.Text = "Invalid Username or Password !";
    }

the problem that a getting is that no matter what i insert into the textboxes, right or wrong i am getting:

Invalid Username or Password !

is there anyway to fix my code? regards;

Improve this question
9
  • 3
    Do not store passwords in plain text. Commented Mar 10, 2013 at 20:11
  • 6
    You have a SQL injection vulnerability. Commented Mar 10, 2013 at 20:12
  • use breakpoints to see what query is being executed. run that query in SQL server and see whether you are getting any results. Commented Mar 10, 2013 at 20:13
  • Not sure why you have 2 else statement in your code Commented Mar 10, 2013 at 20:19
  • Also try to remove password from where clause and see what you get Commented Mar 10, 2013 at 20:20

2 Answers 2

Reset to default
1

I would do it this way, keeping to the method you are using:

private void button1_Click(object sender, EventArgs e)
{
    SqlConnection conn = new SqlConnection(conn_str);
    conn.Open();
    string sql = "SELECT User, Password 
        FROM UsersData WHERE User=@user and Password=@password"
    SqlCommand mycommand = new SqlCommand(sql, conn);
    //parameterize your query!
    mycommand.Parameters.AddWithValue("user", txtuser.text);
    mycommand.Parameters.AddWithValuye("password", txtpassword.password);

    SqlDataReader reader = mycommand.ExecuteReader();
    if(reader == null)
    {
        label3.Text = "Database query failed!";
    }
    else if(reader.HasRows)
    {
        Form1 formload = new Form1();
        formload.Show();
    }
    else
    {
        label3.Text = "Invalid Username or Password !";
    }
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

thank you for the suggesstion, i have done what you asked me for and i am getting "invalid username or password" exactly the same as before
AT this point I'd be using Sql Server Mgmt Studio to connect and verify that the query even returns results.
0

Use parameterized queries as they will help you against sql injection as mentioned by SLaks. Change your code to below

using (SqlCommand command = new SqlCommand("SELECT User, Password 
    FROM UsersData WHERE User=@user and Password=@password", connection))
    {
    //
    // Add new SqlParameter to the command.
    //
    command.Parameters.Add(new SqlParameter("user ", textbox1.text));
            command.Parameters.Add(new SqlParameter("password", textbox2.text));

    SqlDataReader reader = command.ExecuteReader();
            if (reader == null)

    {
      Form1 formload = new Form1();
              formload.Show();    
    }
            else
            {
              label3.Text = "Invalid Username or Password !";    
            }
   }
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.