login form

Question

AngelicOne 4 Posting Whiz

14 Years Ago

I want to find out whether the password is incorrect for the username. I'm using sqldatareader.

3 Contributors
8 Replies
123 Views
1 Day Discussion Span
Latest Post 14 Years Ago Latest Post by AngelicOne

edepperson 8 Newbie Poster

14 Years Ago

assuming the table you query for the password has a loginname and password columns, write you sql statement like this.

SELECT LOGINNAME FROM USERTABLE WHERE LOGINNAME = @login AND PASSWORD = @pwd;

The parameters you will pass in are @login and @pwd. You should run this as a procedure.

AngelicOne commented: understood +1

Lusiphur 185 Practically a Posting Shark

14 Years Ago

Well there's an option where you can pull the UN/PW from the DB based on a query which checks against the UN only and confirm the PW against the associated PW for the UN you pulled.

In doing this, even if the PW is incorrect you still verify that the UN exists.

However, if you're not careful with the coding then you've now pulled the PW into the code-behind as a variable which is potentially accessible.

What you could do is have both functions as stored procedures on the SQL server however. Benefit of this is that the checks are all done on the SQL server and do not ever come across to the code-behind.

Basically... SP#1 = check if UN exists in SB
if SP#1 returns records == 1 then execute SP#2
SP#2 check if PW matches record for associated UN
if SP#2 returns records == 1 then execute login
else execute failedLogin

Dunno if that makes sense but hope it helps.

AngelicOne commented: good logic +1

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Lusiphur 185 Practically a Posting Shark Team Colleague Featured Poster · Answer 1 · 2010-09-21T00:53:51+00:00

AngelicOne;

For shame... I thought I'd trained you better in the art of posting questions :twisted:

No code examples, no real details of any sort. You're breakin' my heart here man!

AngelicOne 4 Posting Whiz · Answer 2 · 2010-09-21T09:51:14+00:00

I'm sorry because I thought this was just basics and longer explanations is not neccessary.

I usually code my login form like this

SqlCommand cmd = new SqlCommand("select username, passwords from users where username=@uid and passwords=@pwd", con);
cmd.Parameters.Add("@uid", SqlDbType.NVarchar).Value = uid.Text;
cmd.Parameters.Add("@pwd", SqlDbType.NVarchar).Value = pwd.Text;
SqlDataReader rdr = null;
con.Open();
rdr = cmd.ExecuteReader();

if (rdr.HasRows)
{
while(rdr.Read())
{
uid.Text = rdr["username"].ToString();
pwd.Text = rdr["passwords"].ToString();
form form = new form();
form.Show();
this.Hide();
}
}
rdr.Close();
con.Close();

What I want is to find out whether the password is incorrect for the username, thus the username exist.

AngelicOne 4 Posting Whiz · Answer 3 · 2010-09-21T12:54:11+00:00

I heard that this cannot be done without using stored procedure. I learned stored procedures just this month, could someone please provide some stored procedure?

Lusiphur 185 Practically a Posting Shark Team Colleague Featured Poster · Answer 4 · 2010-09-21T13:30:28+00:00

It's not that it cannot be done without stored procedures, it's more that it's not as secure to do so without stored procedures.

When dealing with login procedures it's safest to keep user and password variables from being passed around from place to place.

Using stored procedures keeps the entire process on the SQL server with no data being passed other than confirmation of valid or invalid results.

AngelicOne 4 Posting Whiz · Answer 5 · 2010-09-21T17:00:02+00:00

AngelicOne 4 Posting Whiz

14 Years Ago

So i'll make two stored procedure?

AngelicOne 4 Posting Whiz · Answer 6 · 2010-09-21T17:42:19+00:00

I found this code

ALTER PROCEDURE loginchk  
    (  
    @u varchar(50),  
    @p varchar(50)  
    )  
AS  
declare @ap varchar(50)  
select @ap=upass from tbuser where uname=@u  
if @ap is null  
return -1  
else  
if @ap=@p  
return 1  
else   
return -2

EDIT:

This is my finish code

private void button1_Click(object sender, EventArgs e)
        {
            Int32 d = checkuser(uid.Text, pwd.Text);
            if (d == -1)
            {
                MessageBox.Show("Wrong Username");
            }
            else if (d == -2)
            {
                MessageBox.Show("Wrong Password");
            }
            else if (d == 1)
            {
                MessageBox.Show("Success");
            }
        }

        private Int32 checkuser(string u, string p)
        {
            SqlConnection con = new SqlConnection("Data Source = .\\SQLEXPRESS; Initial Catalog = MyLibraryDB; Integrated Security = True");
            SqlCommand cmd = new SqlCommand();
            cmd.CommandType = CommandType.StoredProcedure;
            cmd.CommandText = "usp_checkuser";
            cmd.Connection = con;
            cmd.Parameters.Add("@uid", SqlDbType.NVarChar).Value = uid.Text;
            cmd.Parameters.Add("@pwd", SqlDbType.NVarChar).Value = pwd.Text;
            SqlParameter p1 = new SqlParameter("@ret", SqlDbType.Int);
            p1.Direction = ParameterDirection.ReturnValue;
            cmd.Parameters.Add(p1);
            con.Open();
            cmd.ExecuteNonQuery();
            con.Close();
            Int32 k = Convert.ToInt32(cmd.Parameters["@ret"].Value);
            cmd.Dispose();
            return k;
        }