0

I am using:

                string selectString =
                "SELECT username, password " +
                "FROM users " +
                "WHERE username = '" + user + "' AND password = '" + password + "'";

                MySqlCommand mySqlCommand = new MySqlCommand(selectString, Program.mySqlConnection);
                Program.mySqlConnection.Open();
                String strResult = String.Empty;
                strResult = (String)mySqlCommand.ExecuteScalar();
                Program.mySqlConnection.Close();
                if (strResult.Length == 0)
                {
                    responseString = "invalid";
                    InvalidLogin = true;
                } else {
                    InvalidLogin = false;
                }

and at strResult.Length I get a NullReferenceException for some reason.

Improve this question
10
  • 1
    FYI, the password column is a hashed version of the password, and not the actual password. Testing against it would require you to compare input via the Password() function: dev.mysql.com/doc/refman/5.1/en/… Commented Oct 19, 2012 at 18:24
  • 4
    Warning: Your code is vulnerable to SQL Injection! Commented Oct 19, 2012 at 18:26
  • 1
    @LynnCrumbling, it isn't a hashed password if he didn't hash it when inserting it. Commented Oct 19, 2012 at 18:29
  • 2
    I dont know why are you using strResult.Length?? Commented Oct 19, 2012 at 18:41
  • 2
    @Gromer sigh I hope you don't opt to pay your bill online, lest they're talking to their payment gateway without https.... Commented Oct 19, 2012 at 18:43

3 Answers 3

Reset to default
3

This is how your code should look like:

using(var connection = new MySQLConnection(connectionString))
{
    using(var command = connection.CreateCommand())
    {
        command.CommandText = @"
SELECT COUNT(*) 
FROM users
WHERE username = @user AND password = @password";
        command.Parameters.Add(new MySQLParameter("user", user));
        command.Parameters.Add(new MySQLParameter("password", password));

        var total = (int)command.ExecuteScalar();
        if(total == 0)
            InvalidLogin = true;
        else
            InvalidLogin = false;
    }
}

There are few things to notice

  • NEVER build your query string in that way you did it. Search on Google for "sql injection" to find more about what could happen to you. ALWAYS use parameters. I know, you wrote that this is console app, but good habits are important.
  • ALWAYS use using keyword when working with database connections and commands.
  • From your code, I have a feeling that you have global MySQLConnection object, right? NEVER do that! ADO.NET uses connection pooling, so opening new connection for your actions is not expensive operation. Make sure that you didn't disable connection pooling in your connection string.
  • Not related to ADO.NET, but important: you should hash your password.

To answer your question, the problem is in ExecuteScalar that you are using. It returns scalar variable (single value)...in your query, you are returning username and password, so you should use ExecuteReader instead...but I think that COUNT(*) in the query that I posted, together with ExecuteScalar might be a better solution.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Try this.. 

string selectString =
                "SELECT username, password " +
                "FROM users " +
                "WHERE username = '" + user + "' AND password = '" + password + "'";

                MySqlCommand mySqlCommand = new MySqlCommand(selectString, Program.mySqlConnection);
                Program.mySqlConnection.Open();
                String strResult = String.Empty;

                if (mySqlCommand.ExecuteScalar()== NULL)
                {
                    responseString = "invalid";
                    InvalidLogin = true;
                } else {
                    InvalidLogin = false;
                }
               Program.mySqlConnection.Close();
Improve this answer

1 Comment

I used (strResult == user) instead and everything started working, thanks. BTW I checked for injection. Thanks everyone for being so awesome!
1

ExecuteScalar() returns a single value. You want ExecuteReader() because you're bringing back the Username and Password

Improve this answer

1 Comment

hmmmm. Have a look at Aleksandar Vucetic's suggestion about using Count(*) above, to see if you are getting any data from your query.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.