Simple login problem using database

Question

manavsm -6 Light Poster

13 Years Ago

Please help me to develop this simple windows login form
problem is i am unable to validate my user name and password...

namespace WindowsFormsApplication1
{
    public partial class Form1 : Form
    {
       
        public Form1()
        {
            InitializeComponent();
        }

        private void button1_Click(object sender, EventArgs e)
        {
            login(txt_username.Text, txt_password.Text);
       
                
           
        }
      
            public Boolean login(string user,string pass)
            {
                SqlConnection con = new SqlConnection("Data Source=SNSS1\\SQLEXPRESS;Initial Catalog=Employee;User ID=sa;Password=eLog!234");
                con.Open();
                SqlCommand cmd=new SqlCommand ("select * from Tbl_password where UserName='"+user+"' and Password='"+pass+"'",con);
                SqlDataReader dr = cmd.ExecuteReader();
                while(dr.Read())
                {
                    if ((dr["UserName"].ToString() == user) && (dr["Password"].ToString() == pass))
                    {
                      
                        Form2 frm2 = new Form2();
                        frm2.Show();
                    }


                }
                return false;
            }
     

      
    }
}

4 Contributors
5 Replies
353 Views
1 Day Discussion Span
Latest Post 13 Years Ago Latest Post by raj_developer

All 5 Replies

pritesh2010 30 Posting Whiz in Training

13 Years Ago

this Link will help you. it is in VB.Net do small change it will work in C# also.

Geekitygeek 480 Nearly a Posting Virtuoso

13 Years Ago

Rather than creating your new form inside your login method, keep your login method purely for validating the user then create the form based on its return value:

private void button1_Click(object sender, EventArgs e)
        {
           bool Validated = login(txt_username.Text, txt_password.Text);
           if(Validated)
           {
               //show form
           }
           else
           {
               //notify user of invalid credentials
           }
        }
      
            public Boolean login(string user,string pass)
            {
                SqlConnection con = new SqlConnection("Data Source=SNSS1\\SQLEXPRESS;Initial Catalog=Employee;User ID=sa;Password=eLog!234");
                con.Open();
                SqlCommand cmd=new SqlCommand ("select * from Tbl_password where UserName='"+user+"' and Password='"+pass+"'",con);
                SqlDataReader dr = cmd.ExecuteReader();
                while(dr.Read())
                {
                    if ((dr["UserName"].ToString() == user) && (dr["Password"].ToString() == pass))
                    {
                        return true;
                    }
                }
                return false;
            }

You may also want to reconsider the while(dr.Read()) section. If you call dr.Read() when no records have been returned you will throw an exception. Take a look at the dr.HasRows property and see if you can streamline the logic in that section.
Post your changes and let us know if you get stuck :)

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

manavsm -6 Light Poster · Answer 1 · 2010-08-03T15:36:36+00:00

manavsm -6 Light Poster

13 Years Ago

thanks got it ...

Geekitygeek 480 Nearly a Posting Virtuoso · Answer 2 · 2010-08-03T16:10:10+00:00

No problem. remember to mark the thread as solved if your problem has been resolved :)

raj_developer -3 Light Poster · Answer 3 · 2010-08-04T18:23:28+00:00

Remember, this type of dynamic SQL query will cause SQL Injection vulnerability for your application. Use parametrized queries instead of appending the SQL string.
For example:
change SQL to,
select * from Tbl_password where UserName=@userName and Password=@password

SqlParameter userName=new SqlParameter("@userName",SqlDBType.Varchar);
SqlParameter passsword=new SqlParameter("@password",SqlDBType.Varchar);
cmd.Parameters.Add(userName);
cmd.Parameters.Add(password);

Another suggestion:
Instead of selecting user name and password from table, change the sql query like this:
select count(*) from Tbl_password where UserName=@userName and Password=@password
Then,
int status=cmd.ExecuteScalar()

if (status==1)
return true;
else
return false;

Simple login problem using database

Recommended Answers Collapse Answers

All 5 Replies

Recommended Answers