5

Been having problems with this for a couple of days. I'm working on a login screen with a simple username and password, and having everything store in a database. Pretty much I need to to check to see if the username and password match up and also see if if there account is activated(either a 0 or 1). I have been having problems with this and can't seem to get it to work correctly. Any help is appreciated.

DB Mysql

    private void loginButton_Click(object sender, EventArgs e)
        {
            AdamPanel blarg = new AdminPanel();
            string pass, user;
            string password = "";
            string username = "";

            user = usernameBox.Text;
            pass = passwordBox.Text;           
            DataSet bb = new DataSet();

            string connectionString = "datasource=stuff;database=users";
            MySqlConnection mysql = new MySqlConnection(connectionString);
            MySqlDataAdapter adapter = new MySqlDataAdapter();

            adapter.SelectCommand = new MySqlCommand("SELECT * FROM RegularUsers WHERE Username = '" + user + "' AND Password = '" + pass + "'", mysql);
            adapter.Fill(bb);

            if(bb.HasRows)
                blarg.Show();
            return 0;





        }

    }
}

still not working any ideas?

Improve this question
7
  • Not sure what your question is exactly? Where are you stuck? Commented Feb 28, 2011 at 1:14
  • Are you having issues connecting to the database or with the actual query? An example of the code you're using would help us help you :) Commented Feb 28, 2011 at 1:17
  • I don't really even know where to start. I have it connected but I don't know where to go from there. Commented Feb 28, 2011 at 1:29
  • Okay added a code example any ideas? Commented Feb 28, 2011 at 20:46
  • you're using paSS and usER instead of this.username and this.password. paSS and usER were never populated with the user's values. Commented Feb 28, 2011 at 21:07

4 Answers 4

Reset to default
2

First of all PLEASE hash and salt your passwords. Make sure your username/pw arn't sql injection vulnerable since you're not using a language with parameterized queries... prolly best using stored procs as i believe MySql has them now.

However, in spite of this... i think this is what you're looking for.

public int Load()
    {
        string connectionString = "datasource=STUFF YOU SHOULDNT SEEdatabase=users";
        MySqlConnection mysql = new MySqlConnection(connectionString);
        MySqlDataAdapter adapter = new MySqlDataAdapter();

        mysql.SelectCommand = new MySqlCommand("SELECT * FROM [RegularUsers] WHERE Username = '" + this.username + "' AND Pass = '" + this.password + "'", conn);
        mysql.Fill(dataset);


        if (dataset.HasRows)
            return 1;
        return 0;
    }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1 
  public bool ValidateLogin(string username, string password)
  {

    MySqlConnection conn = new MySqlConnection("[YOURCONNECTIONSTRING]");
    MySqlDataAdapter adapter = new MySqlDataAdapter();
    adapter.SelectCommand = new MySqlCommand("SELECT * FROM [YOURUSERTABLE] WHERE Username = ? AND Pass = ?", conn);

    adapter.SelectCommand.Parameters.Add("@Username", username);
    adapter.SelectCommand.Parameters.Add("@Password", password);

    adapter.Fill(dataset);


    If (dataset.HasRows)
    {
      // User is logged in maybe do FormsAuthentication.SetAuthcookie(username);
        return true;
    } else {
      // Authentication failed
      return false;
    }

  }
Improve this answer

6 Comments

Perfect, now my question is instead of putting it into a data set just compare and then return a 1 or a 0.
You might want to think about parameterizing the query, or minimally sanitizing the inputs in some fashion so you don't get sql inject attacks here. . .
Paul is absolutely correct, so I added some parameters. Don't forget to change the [YOURCONNECTIONSTRING] and [YOURUSERTABLE] parts to your code.
Yeah I am going to hash and salt my passwords, I'm just trying to get db connecting and working.
Also is there a speefic library that I need to use to use "dataset"? or declare one?
|
1

First of all you must include using MySql.Data.MySqlClient.
Use these functions:

public MySqlConnection NewConnection()
{
    string cstr = String.Format(
        "SERVER={0};PORT={1};DATABASE={2};UID={3};PWD={4}",
        sett.DBHost, sett.DBPort, sett.DBDatabase,
        HotelDB.user, HotelDB.password);
    MySqlConnection conn = new MySqlConnection(cstr);
    try { conn.Open(); }
    catch (Exception ex)
    {
        conn = null;
    }
    return conn;
}


private MySqlCommand NewCommand(MySqlConnection conn, string cmd, params object[] parameters)
{
    if (conn==null) return null;
    MySqlCommand command;
    try
    {
        command = new MySqlCommand(cmd, conn);
        if (parameters != null)
        {
            int index = 0;
            while (index < parameters.Length)
            {
                command.Parameters.Add(
                    new MySqlParameter((string)parameters[index], parameters[index + 1]));
                index += 2;
            }
        }
    }
    catch { command = null; }
    return command;
}

private string MD5(string Value)
{
        System.Security.Cryptography.MD5CryptoServiceProvider x = new System.Security.Cryptography.MD5CryptoServiceProvider();
        byte[] data = System.Text.Encoding.ASCII.GetBytes(Value);
        data = x.ComputeHash(data);
        string ret = "";
        for (int i=0; i < data.Length; i++)
                ret += data[i].ToString("x2").ToLower();
        return ret;
}

Then you can do:

MySqlConnection conn = NewConnection(.....);
MySqlCommand cmd = NewCommand(conn,"SELECT userid,useractive FROM table WHERE username=@user AND MD5(password)=@pwd","user",username,"pwd",MD5(pwd));
MySqlDataReader rd = cmd.ExecuteReader();

Where username and pwd are the ones typed from user. If rd is empty user/pwd are wrong; otherwise you can read the fields you need.

Improve this answer

Comments

1

I changed the some variables and make it simple as possible, instead declaring a variable for textbox, i direct it to the adapter:

private void button Click
{
    MySqlConnection mcon = new MySqlConnection("Yourconnection");
    MySqlDataAdapter adapter;
    DataTable table = new DataTable();

    adapter = new MySqlDataAdapter("Select * From database.table where Username = '" + textbox1.Text + "' and password = '" + textbox2.Text +  "'", mcon);
    adapter.Fill(table);
    if (table.Rows.Count <= 0)
    {
        //message something
    }
    else
    {
        //show main form
    }
}
Improve this answer

1 Comment

You may want to add some details as to what you changed and why.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.