0

I want to create a Registration and Log In form on Visual Studio 2010 (with Visual C#).
I have created Service-Based Database and one table. I can insert data into the table (at the registration form), but I cannot figure out how to log in the user.

I have a very simple Log In Form (just fields for username and password) and a 'Log In' Button. I do not really know how to check if the password and the username (that exist in my database) match. Here is what I have so far:

private void button1_Click(object sender, EventArgs e)  
    {  
        if (textBox1.Text != "" & textBox2.Text != "")  
        {  
            cn.Open();  // cn is the Sqlconnection
            cmd.Parameters.AddWithValue("@Username", textBox1.Text);  // cmd is SqlCommand 
            cmd.Parameters.AddWithValue("@Password", textBox2.Text);  
            if (cmd.CommandText == "SELECT * FROM Table1 WHERE username = @Username AND password = @Password")  
            {  
                MessageBox.Show("Loggen In!");  
                this.Close();  
            }  
            cn.Close();  
        }  
    }
Improve this question
3
  • assuming cmd is already defined somewhere else in the code? you'll need to execute that command against the db, setting the CommandText does not actually check the database. and we'll ignore the fact that it appears you're storing passwords in plaintext...for now Commented May 17, 2013 at 21:35
  • Maybe security isnt your concern. But you should NEVER authenticate client side, creating a php script on your server and submitting a request to it would work better. And with your sqlconnection, logging into the database to log into a user presents a threat if you have to include your database password in the application. Commented May 17, 2013 at 21:37
  • yeah, I do know what I'm doing is not safe/correct, but I'm still a beginner, so I want first to learn how to check if the password and the username match and then learn about security Commented May 17, 2013 at 22:08

2 Answers 2

Reset to default
4

You need to Execute the query to know if the information exists in the database

 if (textBox1.Text != "" & textBox2.Text != "")  
   {  
        string queryText = @"SELECT Count(*) FROM Table1 
                             WHERE username = @Username AND password = @Password";
        using(SqlConnection cn = new SqlConnection("your_connection_string"))
        using(SqlCommand cmd = new SqlCommand(queryText, cn))
        {
            cn.Open();  
            cmd.Parameters.AddWithValue("@Username", textBox1.Text); 
            cmd.Parameters.AddWithValue("@Password", textBox2.Text);  
            int result = (int)cmd.ExecuteScalar();
            if (result > 0)  
                MessageBox.Show("Loggen In!");  
            else
                MessageBox.Show("User Not Found!");  
        }
    }

I have also changed something in your code.

  • Changed the query text to return just the count of the users with the specific username and account and be able to use ExecuteScalar
  • Enclosed the creation of the SqlConnection and SqlCommand in a using statement to be sure to dispose these objects at the end of the operation

I also recommend to change the the way in which you store the password.
Store, in the password field, an hash not the clear password. Then pass to the database the same hash and compare this against the content of the database field.
In this way, the password is known only to your user, not by you or by any passersby that looks at the database table

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I get an error that says 'The formatting of the preparation string is not compatible with the prescription that starts around the pointer 0' not sure if that is the exact translation (The error is in Greek)
Have you replaced my fake connection string with your own connection string?
oh,sorry. totally forgot about that. Works great now. Many thanks!
0 
SqlConnection con = new SqlConnection("connection_string");
SqlCommand cmd = new SqlCommand("select Count(*) from [dbo].[Table] where uname=@uname and password=@password");
cmd.Connection = con;
con.Open();
cmd.Parameters.AddWithValue("@uname", uname.Text);
cmd.Parameters.AddWithValue("@password", password.Text);
int Result=(int)cmd.ExecuteScalar();
if (Result > 0)
 {
Response.Redirect("welcome.aspx");
}
 else
{
Response.Redirect("register.aspx");
 }
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.