Member Avatar for Smalls

What I'm trying to do is have a login type windows form to take a user name and password then compare these with data in the db then open an admin type form. I've been trying to get this to work for a few days now with no luck, about 90% of the code below is a peice together from various forums trying to get it to work.

i no longer get an error 26 connection cant be made or what may have you, but now i get "Login failed for user ''.", not quite should what this means or how to go about it

Private Sub LoginB_Click(sender As System.Object, e As System.EventArgs) Handles LoginB.Click
        Try
            Dim con As New SqlConnection("Data Source=.\SQLEXPRESS;Database=C:\tcdb\tcdb.sdf;")
            Dim cmd As New SqlCommand("SELECT Username, Password FROM(Users) WHERE (Username = '" & UserTXT.Text & "') AND (Password = '" & PassTXT.Text & "')", con)
            con.Open()
            Dim sdr As SqlDataReader = cmd.ExecuteReader()
            ' If the record can be queried, it means passing verification, then open another form.   
            If (sdr.Read() = True) Then
                MessageBox.Show("The user is valid!")
                Admin.Show()
                Me.Hide()
            Else
                MessageBox.Show("Invalid username or password!")
            End If
            con.Close()
        Catch ex As Exception
            MessageBox.Show(ex.Message)
        End Try

ps. sdf db has no user/pass needed to open... i think
i didnt set one and the whole app doesnt use one and loads binded data within another form without any problem whatsoever

thanks in adv

  • 7 Contributors
  • 13 Replies
  • 2K Views
  • 5 Years Discussion Span
  • Latest Post Latest Post by akash_12

Recommended Answers

All 13 Replies

Member Avatar for poojavb

What I'm trying to do is have a login type windows form to take a user name and password then compare these with data in the db then open an admin type form. I've been trying to get this to work for a few days now with no luck, about 90% of the code below is a peice together from various forums trying to get it to work.

i no longer get an error 26 connection cant be made or what may have you, but now i get "Login failed for user ''.", not quite should what this means or how to go about it

Private Sub LoginB_Click(sender As System.Object, e As System.EventArgs) Handles LoginB.Click
        Try
            Dim con As New SqlConnection("Data Source=.\SQLEXPRESS;Database=C:\tcdb\tcdb.sdf;")
            Dim cmd As New SqlCommand("SELECT Username, Password FROM(Users) WHERE (Username = '" & UserTXT.Text & "') AND (Password = '" & PassTXT.Text & "')", con)
            con.Open()
            Dim sdr As SqlDataReader = cmd.ExecuteReader()
            ' If the record can be queried, it means passing verification, then open another form.   
            If (sdr.Read() = True) Then
                MessageBox.Show("The user is valid!")
                Admin.Show()
                Me.Hide()
            Else
                MessageBox.Show("Invalid username or password!")
            End If
            con.Close()
        Catch ex As Exception
            MessageBox.Show(ex.Message)
        End Try

ps. sdf db has no user/pass needed to open... i think
i didnt set one and the whole app doesnt use one and loads binded data within another form without any problem whatsoever

thanks in adv

Try to open the connection before the SQL query....

u have opened the connection after the query

Member Avatar for Pgmer

And also make sure that u have passed the correct credential for server.

Member Avatar for mani-hellboy

hey man saw your connection string where your username & pwd and provider

Member Avatar for Reverend Jim

Change the statement

Dim cmd As New SqlCommand("SELECT Username, Password FROM(Users) WHERE (Username = '" & UserTXT.Text & "') AND (Password = '" & PassTXT.Text & "')", con)

to remove the parentheses around the table name. The proper syntax is

select field1,field2,etc from table where etc

not

select field1,field2,etc from(table) where etc

Member Avatar for Smalls

as for connection after query, i dont see it
i updated command syntax
removed parenthesis
mani... i dont understand

still get
Login failed for user ".

completely lost
if anyone has a better way to go about this please feel free

as for me, i think i failed to mention that i am a complete noob with sql!
lol

any help is greatly appreciated
thnx in adv

Edited by Smalls because: typo
Member Avatar for jbennet

Dim cmd As New SqlCommand("SELECT Username, Password FROM(Users) WHERE (Username = '" & UserTXT.Text & "') AND (Password = '" & PassTXT.Text & "')", con)

NO. BAD!
This is open to a SQL Injection Attack. Security hole. Dont simply append the strings. You should be using what is called a prepared statement, with paramaters.

Member Avatar for Reverend Jim

Can you please elaborate on

prepared statement, with paramaters

Edited by Reverend Jim because: n/a
Member Avatar for jbennet

Read:
http://en.wikipedia.org/wiki/Prepared_statement
http://en.wikipedia.org/wiki/SQL_injection

If you have, for example,

"SELECT Price FROM Products WHERE ProductName = '" + some_variable + "'";

And i entered into into the product name search box:
"cheese';DROP TABLE Products WHERE '1' = '1"

Then the following code would be executed

"SELECT Price FROM Products WHERE ProductName = 'cheese';DROP TABLE Products WHERE '1' = '1'";

And the table would be dropped! (see how i run my own query there)

Therefore you must use prepared statements and paramaters.

Edited by jbennet because: n/a
Member Avatar for Reverend Jim

Interesting. Thanks for the post.

Edited by Reverend Jim because: n/a
Member Avatar for jbennet

This is how 99% of sites get hacked.... Amateur mistake.

Member Avatar for Reverend Jim

Never had to write a user inteface for a database. All of my stuff was automated, infrastructure/data mining/massaging/import/export behind safe firewall stuff. I'm glad I never had to worry about things like that.

Member Avatar for Smalls

the idea that im working with at the moment is to get it to work. then once working, strengthen security from there. but i completely understand your point mr bennet.

but, back to the target subject at hand, am i completely missing what and how sql does what it does or is something off???

sql server configuration manager indicates that sqlexpress is running,
no longer get connection not made, db not found error,
but is now replaces by null user login failed,

total sql noob that got lost somewhere between points a and b! lol

to sum up, all i need is a working model, from there i can build out and up! lol

thank you everyone for your time and thanks for any help in advance, it is greatly appreciated

Member Avatar for akash_12

Change the statement

Dim cmd As New SqlCommand("SELECT Username, Password FROM(Users) WHERE (Username = '" & UserTXT.Text & "') AND (Password = '" & PassTXT.Text & "')", con)

to remove the parentheses around the table name. The proper syntax is

Dim cmd As New SqlCommand("SELECT Username, Password FROM Users WHERE (Username = '" & UserTXT.Text & "') AND (Password = '" & PassTXT.Text & "')", con)

remove the pranthese from table name..............

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.