What I'm trying to do is have a login type windows form to take a user name and password then compare these with data in the db then open an admin type form. I've been trying to get this to work for a few days now with no luck, about 90% of the code below is a peice together from various forums trying to get it to work.

i no longer get an error 26 connection cant be made or what may have you, but now i get "Login failed for user ''.", not quite should what this means or how to go about it

Private Sub LoginB_Click(sender As System.Object, e As System.EventArgs) Handles LoginB.Click
        Try
            Dim con As New SqlConnection("Data Source=.\SQLEXPRESS;Database=C:\tcdb\tcdb.sdf;")
            Dim cmd As New SqlCommand("SELECT Username, Password FROM(Users) WHERE (Username = '" & UserTXT.Text & "') AND (Password = '" & PassTXT.Text & "')", con)
            con.Open()
            Dim sdr As SqlDataReader = cmd.ExecuteReader()
            ' If the record can be queried, it means passing verification, then open another form.   
            If (sdr.Read() = True) Then
                MessageBox.Show("The user is valid!")
                Admin.Show()
                Me.Hide()
            Else
                MessageBox.Show("Invalid username or password!")
            End If
            con.Close()
        Catch ex As Exception
            MessageBox.Show(ex.Message)
        End Try

ps. sdf db has no user/pass needed to open... i think i didnt set one and the whole app doesnt use one and loads binded data within another form without any problem whatsoever

thanks in adv

Try to open the connection before the SQL query....

u have opened the connection after the query

And also make sure that u have passed the correct credential for server.

hey man saw your connection string where your username & pwd and provider

Change the statement

Dim cmd As New SqlCommand("SELECT Username, Password FROM(Users) WHERE (Username = '" & UserTXT.Text & "') AND (Password = '" & PassTXT.Text & "')", con)

to remove the parentheses around the table name. The proper syntax is

select field1,field2,etc from table where etc

not

select field1,field2,etc from(table) where etc

Dim cmd As New SqlCommand("SELECT Username, Password FROM(Users) WHERE (Username = '" & UserTXT.Text & "') AND (Password = '" & PassTXT.Text & "')", con)

NO. BAD!
This is open to a SQL Injection Attack. Security hole. Dont simply append the strings. You should be using what is called a prepared statement, with paramaters.

Can you please elaborate on prepared statement, with paramaters

Read:
http://en.wikipedia.org/wiki/Prepared_statement
http://en.wikipedia.org/wiki/SQL_injection

If you have, for example,

"SELECT Price FROM Products WHERE ProductName = '" + some_variable + "'";

And i entered into into the product name search box:
"cheese';DROP TABLE Products WHERE '1' = '1"

Then the following code would be executed

"SELECT Price FROM Products WHERE ProductName = 'cheese';DROP TABLE Products WHERE '1' = '1'";

And the table would be dropped! (see how i run my own query there)

Therefore you must use prepared statements and paramaters.

Interesting. Thanks for the post.

This is how 99% of sites get hacked.... Amateur mistake.

Never had to write a user inteface for a database. All of my stuff was automated, infrastructure/data mining/massaging/import/export behind safe firewall stuff. I'm glad I never had to worry about things like that.