What I'm trying to do is have a login type windows form to take a user name and password then compare these with data in the db then open an admin type form. I've been trying to get this to work for a few days now with no luck, about 90% of the code below is a peice together from various forums trying to get it to work.

i no longer get an error 26 connection cant be made or what may have you, but now i get "Login failed for user ''.", not quite should what this means or how to go about it

Private Sub LoginB_Click(sender As System.Object, e As System.EventArgs) Handles LoginB.Click
        Try
            Dim con As New SqlConnection("Data Source=.\SQLEXPRESS;Database=C:\tcdb\tcdb.sdf;")
            Dim cmd As New SqlCommand("SELECT Username, Password FROM(Users) WHERE (Username = '" & UserTXT.Text & "') AND (Password = '" & PassTXT.Text & "')", con)
            con.Open()
            Dim sdr As SqlDataReader = cmd.ExecuteReader()
            ' If the record can be queried, it means passing verification, then open another form.   
            If (sdr.Read() = True) Then
                MessageBox.Show("The user is valid!")
                Admin.Show()
                Me.Hide()
            Else
                MessageBox.Show("Invalid username or password!")
            End If
            con.Close()
        Catch ex As Exception
            MessageBox.Show(ex.Message)
        End Try

ps. sdf db has no user/pass needed to open... i think
i didnt set one and the whole app doesnt use one and loads binded data within another form without any problem whatsoever

thanks in adv

What I'm trying to do is have a login type windows form to take a user name and password then compare these with data in the db then open an admin type form. I've been trying to get this to work for a few days now with no luck, about 90% of the code below is a peice together from various forums trying to get it to work.

i no longer get an error 26 connection cant be made or what may have you, but now i get "Login failed for user ''.", not quite should what this means or how to go about it

Private Sub LoginB_Click(sender As System.Object, e As System.EventArgs) Handles LoginB.Click
        Try
            Dim con As New SqlConnection("Data Source=.\SQLEXPRESS;Database=C:\tcdb\tcdb.sdf;")
            Dim cmd As New SqlCommand("SELECT Username, Password FROM(Users) WHERE (Username = '" & UserTXT.Text & "') AND (Password = '" & PassTXT.Text & "')", con)
            con.Open()
            Dim sdr As SqlDataReader = cmd.ExecuteReader()
            ' If the record can be queried, it means passing verification, then open another form.   
            If (sdr.Read() = True) Then
                MessageBox.Show("The user is valid!")
                Admin.Show()
                Me.Hide()
            Else
                MessageBox.Show("Invalid username or password!")
            End If
            con.Close()
        Catch ex As Exception
            MessageBox.Show(ex.Message)
        End Try

ps. sdf db has no user/pass needed to open... i think
i didnt set one and the whole app doesnt use one and loads binded data within another form without any problem whatsoever

thanks in adv

Try to open the connection before the SQL query....

u have opened the connection after the query

Change the statement

Dim cmd As New SqlCommand("SELECT Username, Password FROM(Users) WHERE (Username = '" & UserTXT.Text & "') AND (Password = '" & PassTXT.Text & "')", con)

to remove the parentheses around the table name. The proper syntax is

select field1,field2,etc from table where etc

not

select field1,field2,etc from(table) where etc

as for connection after query, i dont see it
i updated command syntax
removed parenthesis
mani... i dont understand

still get
Login failed for user ".

completely lost
if anyone has a better way to go about this please feel free

as for me, i think i failed to mention that i am a complete noob with sql!
lol

any help is greatly appreciated
thnx in adv

Edited 4 Years Ago by Smalls: typo

Dim cmd As New SqlCommand("SELECT Username, Password FROM(Users) WHERE (Username = '" & UserTXT.Text & "') AND (Password = '" & PassTXT.Text & "')", con)

NO. BAD!
This is open to a SQL Injection Attack. Security hole. Dont simply append the strings. You should be using what is called a prepared statement, with paramaters.

Read:
http://en.wikipedia.org/wiki/Prepared_statement
http://en.wikipedia.org/wiki/SQL_injection

If you have, for example,

"SELECT Price FROM Products WHERE ProductName = '" + some_variable + "'";

And i entered into into the product name search box:
"cheese';DROP TABLE Products WHERE '1' = '1"

Then the following code would be executed

"SELECT Price FROM Products WHERE ProductName = 'cheese';DROP TABLE Products WHERE '1' = '1'";

And the table would be dropped! (see how i run my own query there)

Therefore you must use prepared statements and paramaters.

Edited 4 Years Ago by jbennet: n/a

Never had to write a user inteface for a database. All of my stuff was automated, infrastructure/data mining/massaging/import/export behind safe firewall stuff. I'm glad I never had to worry about things like that.

the idea that im working with at the moment is to get it to work. then once working, strengthen security from there. but i completely understand your point mr bennet.

but, back to the target subject at hand, am i completely missing what and how sql does what it does or is something off???

sql server configuration manager indicates that sqlexpress is running,
no longer get connection not made, db not found error,
but is now replaces by null user login failed,

total sql noob that got lost somewhere between points a and b! lol

to sum up, all i need is a working model, from there i can build out and up! lol

thank you everyone for your time and thanks for any help in advance, it is greatly appreciated

This article has been dead for over six months. Start a new discussion instead.