3 
            String sqlCheckPass = 
"Select * from Login where Username like @Username and Password like @Password";
        SqlCommand SqlCom = new SqlCommand(sqlCheckPass, myConnection);
        SqlCom.Parameters.Add(new SqlParameter("@Username", sUserName));
        SqlCom.Parameters.Add(new SqlParameter("@Password", sPassword));

        myConnection.Open();
        SqlDataReader myreader;
        myreader = SqlCom.ExecuteReader();
        int id = -1;

ErrorBox.InnerHtml = "Username:" + sUserName + ":" + sPassword + ":<br/>";
while (myreader.HasRows)
{
    id = (int)myreader["id"];
    String sUser = (String)myreader["Username"];
    String sPass = (String)myreader["Password"];
    ErrorBox.InnerHtml += "UserId is <b>" + id + "</b> " + sUser + ":" + sPass + ":<br >";
    Session["LoginID"] = id;
    Server.Transfer(ReturnPage);

}
if (id == -1)
{
    ErrorBox.InnerHtml = "Incorrect Password";
}
myConnection.Close();
catch (Exception err)
{
    ErrorBox.InnerHtml = "Error Getting  Option ID" + err.Message;
}

I added a breakpoint at myreader = SqlCom.ExecuteReader(); and it keeps returning myreader as null and HasRows = False, but it does have rows. So, it keeps validating my login as incorrect since id = -1,

Help?

Improve this question
4
  • The code to post should be the generation of "SqlCom". Commented Mar 23, 2010 at 14:43
  • 1
    secondly... if myreader is null then "HasRows" can't be false. Commented Mar 23, 2010 at 14:45
  • Don't store your passwords in plain text on the database - what happens when someone gets access to that table? Store them as a hash instead. Commented Mar 23, 2010 at 15:06
  • Also, you should really specify the type of the parameters on the command object as you create them... Commented Mar 23, 2010 at 15:07

3 Answers 3

Reset to default
4

You didn't connect your reader to your SQL connection/command?

SqlConnection myConnection = new SqlConnection(myConnectionString);
SqlCommand myCommand = new SqlCommand(mySelectQuery, myConnection);
myConnection.Open();
SqlDataReader myReader = myCommand.ExecuteReader(CommandBehavior.CloseConnection);
while(myReader.Read()) 
{
   Console.WriteLine(myReader.GetString(0));
}
myReader.Close();
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

+1 - its obviously not initialised hence being NULL. Other values are just defaults.
See the original posts I've edited it, I;m sure it's connected right. @Chris - What's not initialised?
Is your connection string setup properly? No exceptions thrown in a try/catch or similar?
yeah definately right, because it can get the names from the database into a dropdown list, that I've temporarily setup
And @David makes a good recommendation, it might also be your query format
1

The problem might be the LIKE in your query with the SqlParameters. Try

String sqlCheckPass =  
"Select * from Login where Username like '%' + @Username + '%' and Password like '%' + @Password + '%'";
Improve this answer

4 Comments

By the way, why are you using LIKE instead of "=" ?
Cool. However, it's dangerous to use LIKE %% for authentication. You should use "="
Never use LIKE for checking a name and password.
+1 for using "=" instead of "like". I am also curious... what are the values on both parameters that no data was being returned before adding the wildcards...
1

Bryan Denny's answer above is correct, however, I'll enclose all of the code inside using statements as shown below:

using (SqlConnection dataConnection = new SqlConnection(connectionString))
{
    using (SqlCommand SqlCom = dataConnection.CreateCommand())
    {
        SqlCom.CommandText = "Select * from Login where Username like @Username and Password like @Password";
        SqlCom.Parameters.Add(new SqlParameter("@Username", sUserName)); 
        SqlCom.Parameters.Add(new SqlParameter("@Password", sPassword)); 

        dataConnection.Open();
        SqlDataReader myreader; 
        myreader = SqlCom.ExecuteReader(); 
        dataConnection.Close();
    }
}

I didn't add all of your code to this snippet, I figured you get the idea.

Also, you could try modifying the select statement to return a count of records since this is all you need anyways, a number:

SELECT COUNT(*) FROM Login WHERE Username like @Username AND Password like @Password

Good luck!

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.