Member Avatar for sing1006

`Public Class login
Dim cnn As New OleDb.OleDbConnection
Private Sub OK_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles OK.Click
Dim cmd As New OleDb.OleDbCommand
If Not cnn.State = ConnectionState.Open Then

        cnn.Open()
    End If

    cmd.Connection = cnn

    If cmd.CommandText = "SELECT UName FROM Account WHERE UName =" & Me.UsernameTextBox.Text Then
        If cmd.CommandText = "SELECT PWord FROM Account WHERE PWord =" & Me.PasswordTextBox.Text Then
            Dim f As Form = Application.OpenForms.Item("Main")

            If f Is Nothing Then
                Dim MainForm As New Main

                Main.Show()
            Else
                f.BringToFront()
            End If

            Me.Hide()
        Else
            MsgBox("Invalid password.Please try again!", MsgBoxStyle.Exclamation)
            PasswordTextBox.Focus()

        End If
    Else
        MsgBox("Invalid Username.Please try again!", MsgBoxStyle.Exclamation)
        UsernameTextBox.Focus()
    End If

    cmd.ExecuteNonQuery()
    cnn.Close()

End Sub

Private Sub Cancel_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Cancel.Click
    Me.Close()
End Sub

Private Sub login_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
    cnn = New OleDb.OleDbConnection
    cnn.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=|DataDirectory|\Database.accdb"

End Sub

End Class`

above is my code.can someone tell me where is wrong?

  • 4 Contributors
  • 3 Replies
  • 139 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by adam_k

Recommended Answers

All 3 Replies

Member Avatar for Begginnerdev

Your connection string looks wrong.

Are you getting your "DataDirectory" from your vb app?

If so, your connection string should look like this.

cnn.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=" & DataDirectory & "\Database.accdb"
Member Avatar for Hilal2009

Try this my friend
cnn.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=|DataDirectory|\Database.accdb"

Member Avatar for adam_k

Let's start by saying that your code will never get you logged in and it's not just the connection string.

1) You are comparing the queries you use to verify the username/password with the actual password:
if Select Uname From Account WHERE UName = sing1006
can never return true (Except if your users enter the select as username). Same thing with password.
Instead you need to query the db with the cmd after setting the commandtext and see if you get results back.

2) You are not using single quotes (') around strings. This won't work that well with SQL syntax.

3) This one won't stop you from logging in, but will do the opposite - allow more than it should to login. You are not looking for a combination of username and password to be correct, just any valid username and any valid password. We don't say which one is wrong because you are helping an attacker bypass your security.

So change your script to something like this:

cmd.Connection = cnn 
cmd.CommandText = "Select count(*) from Account WHERE Uname = '" & Me.UsernameTextBox.Text & "' and PWord = '" & Me.PasswordTextBox.Text & "'" 

if cmd.ExecuteScalar = 1 Then '1 Account found 
   Dim f As Form = Application.OpenForms.Item("Main")
            If f Is Nothing Then
                Dim MainForm As New Main
                Main.Show()
            Else
                f.BringToFront()
            End If
            Me.Hide()
        Else
   MsgBox("Invalid Username / password combination.Please try again!", MsgBoxStyle.Exclamation)
            PasswordTextBox.Focus()
        End If
  cnn.Close()
End Sub

If you really need to tell which one was wrong then you can do a similar query in your db with just the username. I'd do it inside the else part, in order for it to run only if the user failed to login and not use resources and add delay to a succesful one.

PS: I forgot to mention that there is a reason for looking for just 1 account and with count. If somebody uses SQL injection to dump the whole account table the statement won't return true and the table won't be trasmitted over network - reducing the chances for somebody hacking his way into your db.

Edited by adam_k because: Edit
commented: thanks,it works. +1
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.