I want to find out whether the password is incorrect for the username. I'm using sqldatareader.

assuming the table you query for the password has a loginname and password columns, write you sql statement like this.

SELECT LOGINNAME FROM USERTABLE WHERE LOGINNAME = @login AND PASSWORD = @pwd;

The parameters you will pass in are @login and @pwd. You should run this as a procedure.

Comments
understood

AngelicOne;

For shame... I thought I'd trained you better in the art of posting questions :twisted:

No code examples, no real details of any sort. You're breakin' my heart here man!

I'm sorry because I thought this was just basics and longer explanations is not neccessary.

I usually code my login form like this

SqlCommand cmd = new SqlCommand("select username, passwords from users where username=@uid and passwords=@pwd", con);
cmd.Parameters.Add("@uid", SqlDbType.NVarchar).Value = uid.Text;
cmd.Parameters.Add("@pwd", SqlDbType.NVarchar).Value = pwd.Text;
SqlDataReader rdr = null;
con.Open();
rdr = cmd.ExecuteReader();

if (rdr.HasRows)
{
while(rdr.Read())
{
uid.Text = rdr["username"].ToString();
pwd.Text = rdr["passwords"].ToString();
form form = new form();
form.Show();
this.Hide();
}
}
rdr.Close();
con.Close();

What I want is to find out whether the password is incorrect for the username, thus the username exist.

Well there's an option where you can pull the UN/PW from the DB based on a query which checks against the UN only and confirm the PW against the associated PW for the UN you pulled.

In doing this, even if the PW is incorrect you still verify that the UN exists.

However, if you're not careful with the coding then you've now pulled the PW into the code-behind as a variable which is potentially accessible.

What you could do is have both functions as stored procedures on the SQL server however. Benefit of this is that the checks are all done on the SQL server and do not ever come across to the code-behind.

Basically... SP#1 = check if UN exists in SB
if SP#1 returns records == 1 then execute SP#2
SP#2 check if PW matches record for associated UN
if SP#2 returns records == 1 then execute login
else execute failedLogin

Dunno if that makes sense but hope it helps.

Comments
good logic

I heard that this cannot be done without using stored procedure. I learned stored procedures just this month, could someone please provide some stored procedure?

It's not that it cannot be done without stored procedures, it's more that it's not as secure to do so without stored procedures.

When dealing with login procedures it's safest to keep user and password variables from being passed around from place to place.

Using stored procedures keeps the entire process on the SQL server with no data being passed other than confirmation of valid or invalid results.

I found this code

ALTER PROCEDURE loginchk  
    (  
    @u varchar(50),  
    @p varchar(50)  
    )  
AS  
declare @ap varchar(50)  
select @ap=upass from tbuser where uname=@u  
if @ap is null  
return -1  
else  
if @ap=@p  
return 1  
else   
return -2

EDIT:

This is my finish code

private void button1_Click(object sender, EventArgs e)
        {
            Int32 d = checkuser(uid.Text, pwd.Text);
            if (d == -1)
            {
                MessageBox.Show("Wrong Username");
            }
            else if (d == -2)
            {
                MessageBox.Show("Wrong Password");
            }
            else if (d == 1)
            {
                MessageBox.Show("Success");
            }
        }

        private Int32 checkuser(string u, string p)
        {
            SqlConnection con = new SqlConnection("Data Source = .\\SQLEXPRESS; Initial Catalog = MyLibraryDB; Integrated Security = True");
            SqlCommand cmd = new SqlCommand();
            cmd.CommandType = CommandType.StoredProcedure;
            cmd.CommandText = "usp_checkuser";
            cmd.Connection = con;
            cmd.Parameters.Add("@uid", SqlDbType.NVarChar).Value = uid.Text;
            cmd.Parameters.Add("@pwd", SqlDbType.NVarChar).Value = pwd.Text;
            SqlParameter p1 = new SqlParameter("@ret", SqlDbType.Int);
            p1.Direction = ParameterDirection.ReturnValue;
            cmd.Parameters.Add(p1);
            con.Open();
            cmd.ExecuteNonQuery();
            con.Close();
            Int32 k = Convert.ToInt32(cmd.Parameters["@ret"].Value);
            cmd.Dispose();
            return k;
        }

Edited 6 Years Ago by AngelicOne: n/a

This question has already been answered. Start a new discussion instead.