Member Avatar for lolwtf

I wanted to create a form where a user can create an account, have it loaded in SQL, and be able to retrieve the information and validate it. I've reached a mental block on the validation code and need some advice. Here is my code so far:

Public Class main

    Private Sub Label5_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles lblUsername.Click

    End Sub

    Private Sub btnJoin_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnJoin.Click


        lblName.Visible = True
        lblUsername.Visible = True
        lblPassword.Visible = True
        txtName.Visible = True
        txtUsername.Visible = True
        txtPassword.Visible = True
        btnNext.Visible = True
    End Sub

    Private Sub main_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load

        Try
            SqlConnection1.Open()

        Catch ex As Exception
            MsgBox(ex.Message)


        End Try

    End Sub

    Private Sub btnNext_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnNext.Click
        DBAuser.InsertCommand.CommandText = "INSERT INTO login (userName, login, password) VALUES ('" + txtName.Text.Replace("'", "") + "', '" + txtUsername.Text.Replace("'", "") + "', '" + txtPassword.Text.Replace("'", "") + "');"
        DBAuser.InsertCommand.ExecuteNonQuery()
        MessageBox.Show("Account Created Successfully")
        txtName.Clear()
        txtUsername.Clear()
        txtPassword.Clear()


        lblName.Visible = False
        lblUsername.Visible = False
        lblPassword.Visible = False
        txtName.Visible = False
        txtUsername.Visible = False
        txtPassword.Visible = False
        btnNext.Visible = False



    End Sub

    Private Sub btnUser_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnUser.Click

        'got stuck here :(

        DBAuser.SelectCommand.CommandText = "SELECT login,password FROM login WHERE userName = '" & txtUsername2.Text & "' AND password = '" & txtPassword2.Text & "'"

    End Sub

End Class

Do i need some sort of Epic if statement to validate what the user inputted into the text boxes or am i on the wrong path?
Thanks

  • 3 Contributors
  • 5 Replies
  • 148 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by lolwtf

Recommended Answers

All 5 Replies

Member Avatar for Teme64

Do i need some sort of Epic if statement to validate what the user inputted into the text boxes

I'm afraid you need it.

am i on the wrong path

I don't think so.

I don't know what type of DBAuser is. But the SQL syntax "SELECT login,password FROM login WHERE userName = '" & txtUsername2.Text & "' AND password = '" & txtPassword2.Text & "'" is correct. After you execute that SQL statement, just check that a one and only one record is returned. If you get nil records, either user name or/and the password is incorrect.

When you create a new account (INSERT statement), you should first check that the user name and the password combination does not exist already.

I would make a separate boolean function for that

Private Function IsValidLogin(ByVal UserName As String, ByVal Password As String) As Boolean
  ' Check if UserName and Password are found in the DB and return True. Otherwise, return False

End Function

Put the DB code (SELECT statement and record count testing) in there and you can call it easily from both user login and when the user creates an account.

Member Avatar for jireh

add also in your login checking about sql injection or else it will be easily to hack...

Member Avatar for Teme64

Jireh is right about SQL injection. I didn't mention it because it's rarely an issue with Windows apps. If you're going to use the code with ASP.NET, there's a really bad security hole. And you'll be hacked sooner or later.

You do some replaces in your SQL INSERT statement. A few characters that you shouldn't allow in user name and password are ";", "-" and "'". To be more precise, the correct way to do it in a "safe way", is to define a set of allowed characters (a-z, 0-9 and a few other printable characters). If the user tries to create an account with an user name and/or a password containing any character that is not an allowed character, it should be rejected.

Member Avatar for lolwtf

DBAUser is my database adapter. As for the security and sql injection, this is just a personal project im doing for fun. I guess it would be useful later on so ill do some research on that. As for the password validation im still stuck on that part because I dont have much practice with Database adapters.

Member Avatar for lolwtf

Okay i figured out the actual code if anybody's interested:

DBAuser.SelectCommand.CommandText = "SELECT COUNT(login) FROM login WHERE userName = '" & txtUsername2.Text & "' AND password = '" & txtPassword2.Text & "'"
DBAuser.Fill(DSLogin) 'fill dataset
If DSLogin.Tables(0).Rows(0).Item(0) > 0 Then '
'User entered proper login

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.