1,105,406 Community Members

Simple login problem using database

Member Avatar
manavsm
Light Poster
27 posts since Jun 2008
Reputation Points: -6 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Please help me to develop this simple windows login form
problem is i am unable to validate my user name and password...

namespace WindowsFormsApplication1
{
    public partial class Form1 : Form
    {
       
        public Form1()
        {
            InitializeComponent();
        }

        private void button1_Click(object sender, EventArgs e)
        {
            login(txt_username.Text, txt_password.Text);
       
                
           
        }
      
            public Boolean login(string user,string pass)
            {
                SqlConnection con = new SqlConnection("Data Source=SNSS1\\SQLEXPRESS;Initial Catalog=Employee;User ID=sa;Password=eLog!234");
                con.Open();
                SqlCommand cmd=new SqlCommand ("select * from Tbl_password where UserName='"+user+"' and Password='"+pass+"'",con);
                SqlDataReader dr = cmd.ExecuteReader();
                while(dr.Read())
                {
                    if ((dr["UserName"].ToString() == user) && (dr["Password"].ToString() == pass))
                    {
                      
                        Form2 frm2 = new Form2();
                        frm2.Show();
                    }


                }
                return false;
            }
     

      
    }
}
Member Avatar
pritesh2010
Posting Whiz in Training
265 posts since Mar 2010
Reputation Points: 30 [?]
Q&As Helped to Solve: 46 [?]
Skill Endorsements: 0 [?]
 
0
 

this Link will help you. it is in VB.Net do small change it will work in C# also.

Member Avatar
Ryshad
Nearly a Posting Virtuoso
1,263 posts since Aug 2009
Reputation Points: 480 [?]
Q&As Helped to Solve: 247 [?]
Skill Endorsements: 14 [?]
 
0
 

Rather than creating your new form inside your login method, keep your login method purely for validating the user then create the form based on its return value:

private void button1_Click(object sender, EventArgs e)
        {
           bool Validated = login(txt_username.Text, txt_password.Text);
           if(Validated)
           {
               //show form
           }
           else
           {
               //notify user of invalid credentials
           }
        }
      
            public Boolean login(string user,string pass)
            {
                SqlConnection con = new SqlConnection("Data Source=SNSS1\\SQLEXPRESS;Initial Catalog=Employee;User ID=sa;Password=eLog!234");
                con.Open();
                SqlCommand cmd=new SqlCommand ("select * from Tbl_password where UserName='"+user+"' and Password='"+pass+"'",con);
                SqlDataReader dr = cmd.ExecuteReader();
                while(dr.Read())
                {
                    if ((dr["UserName"].ToString() == user) && (dr["Password"].ToString() == pass))
                    {
                        return true;
                    }
                }
                return false;
            }

You may also want to reconsider the while(dr.Read()) section. If you call dr.Read() when no records have been returned you will throw an exception. Take a look at the dr.HasRows property and see if you can streamline the logic in that section.
Post your changes and let us know if you get stuck :)

Member Avatar
manavsm
Light Poster
27 posts since Jun 2008
Reputation Points: -6 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

thanks got it ...

Member Avatar
Ryshad
Nearly a Posting Virtuoso
1,263 posts since Aug 2009
Reputation Points: 480 [?]
Q&As Helped to Solve: 247 [?]
Skill Endorsements: 14 [?]
 
0
 

No problem. remember to mark the thread as solved if your problem has been resolved :)

Member Avatar
raj_developer
Light Poster
25 posts since May 2010
Reputation Points: -3 [?]
Q&As Helped to Solve: 3 [?]
Skill Endorsements: 0 [?]
 
0
 

Remember, this type of dynamic SQL query will cause SQL Injection vulnerability for your application. Use parametrized queries instead of appending the SQL string.
For example:
change SQL to,
select * from Tbl_password where UserName=@userName and Password=@password

SqlParameter userName=new SqlParameter("@userName",SqlDBType.Varchar);
SqlParameter passsword=new SqlParameter("@password",SqlDBType.Varchar);
cmd.Parameters.Add(userName);
cmd.Parameters.Add(password);

Another suggestion:
Instead of selecting user name and password from table, change the sql query like this:
select count(*) from Tbl_password where UserName=@userName and Password=@password
Then,
int status=cmd.ExecuteScalar()

if (status==1)
return true;
else
return false;

You
This article has been dead for over three months: Start a new discussion instead
Post:
Start New Discussion
Tags Related to this Article