how to check the passward and username from sql database.by reading the database from client application.here is My code for that it doesn't work I what is wrong with this?

Question

0.00/5 (No votes)

See more:

private void OK_Click(object sender, EventArgs e)
        {
           string connectionString = @"Data Source=(LocalDb)\v11.0;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|\aspnet-Bartering-20130910215644.mdf";
            SqlConnection sqlCon = new SqlConnection(connectionString);

           
            //string commandString = "select UserName from Users " + usernameTextBox.Text + "";
            //SqlCommand sqlCmd = new SqlCommand(commandString, sqlCon);
            //SqlDataReader read = sqlCmd.ExecuteReader();
 
            
            string dummyun = usernameTextBox.Text;
        string dummypw =passwordTextBox .Text;
            sqlCon.Open();
        

        using(SqlCommand StrQuer = new SqlCommand("SELECT Memberships.Password,Users.UserName FROM Memberships INNER JOIN Users ON Memberships.UserId=Users.UserId",sqlCon))
        {
           StrQuer.Parameters.AddWithValue("@UserName",dummyun);
           StrQuer.Parameters.AddWithValue("@Password",dummypw);
         SqlDataReader dr = StrQuer.ExecuteReader(); 
        if(dr.HasRows)
         {

           
           MessageBox.Show("loginSuccess");    
         }
        else
        {
            MessageBox.Show("invalid");
       } 
     }
        sqlCon.Close();

        }

Posted 8-Jan-14 5:05am

madushankae09

Updated 8-Jan-14 16:35pm

JoCodes

v2

Add a Solution

6 solutions

Solution 1

Your SQL does not contain any parameters but you are adding parameters.

There are lots of ways to do it, one way would be:

SQL

SELECT m.Password, u.UserName
FROM Memberships m
INNER JOIN Users u ON m.UserUD = u.UserID
WHERE u.UserName = @UserName AND m.Password = @Password

Depending on your collation settings in the database you may want to add COLLATE SQL_Latin1_General_CP1_CS_AS after @Password so that it is searched case sensitive.

Posted 8-Jan-14 5:09am

ZurdoDev

Solution 3

If you're using ASP.NET MVC, and especially if you prefer copying and pasting to understanding your code, you'd do better to use simple membership, which is built in to ASP.NET MVC and actually works really well. It's also guaranteed to be more secure than anything you might roll out.

Posted 8-Jan-14 10:45am

Christian Graus

Solution 4

You have not passed parameters to the query

SQL

SELECT Memberships.Password,Users.UserName FROM Memberships INNER JOIN Users ON Memberships.UserId=Users.UserId
    where Users.UserName = @UserName and Memberships.Password = @Password

Posted 8-Jan-14 16:51pm

Karthik_Mahalingam

Solution 6

My suggestion is that do not retrieve passwords from DB, that will be risky. Instead send your password to DB and write a query to select the count of records for user id and password supplied. I hope your table has appropriate constraints and if the combination is correct the count will be returned as 1 otherwise zero. If the count is returned as 1 login should be successful, in case count comes as zero the login should be made unsuccessful. Try implementing and do let me know if you need the code. you can write a stored procedure to execute the select query and return 1 for success and -1 for failure

Posted 8-Jan-14 19:51pm

puja11191

Updated 8-Jan-14 21:32pm

v2

Solution 5

This coding is real work for you.Try this one,if it is work,pls reply me

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.Data.SqlClient;
namespace OfficeProject
{
    public partial class Form1 : Form
    {
        public static string userna;
        public static string Pass;
        public Form1()
        {
            InitializeComponent();
        }

        private void loginsimpleButton_Click(object sender, EventArgs e)
        {
            SqlConnection con;
            string st = @"Data Source=USER-PC\MYSQLSERVER;Initial Catalog=officeproject;Integrated Security=True";
            con = new SqlConnection(st);
            con.Open();
            string s = @"select username,password from admin where username=@username and password=@password";
            SqlCommand cmd = new SqlCommand(s, con);
            cmd.Parameters.AddWithValue("@username", nametextBox.Text);
            cmd.Parameters.AddWithValue("@password", passwordtextBox.Text);
            SqlDataReader reader = cmd.ExecuteReader();

            while (reader.Read())
            {

                userna = reader[0].ToString();
                Pass = reader[1].ToString();
                

            }
            if ((userna == nametextBox.Text) && (Pass == passwordtextBox.Text))
            {
                home h = new home();
                h.Show();
                Form1 f = new Form1();
                f.Close();
            }
            else if (nametextBox .Text== "" || passwordtextBox.Text == "")
            {
                MessageBox.Show("Success");
            }
            else 
            {
                MessageBox.Show("invalid");
            }
            
            con.Close();
        }

Posted 8-Jan-14 17:02pm

eieisandi

Updated 8-Jan-14 17:26pm

v2

Comments

Christian Graus 8-Jan-14 23:06pm

This is a horrible mess. Never do this. Keep your password in your data layer, encrypted if possible. Pulling it out like this, exposes it to attack.

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Accepted Answer · 2014-01-08T05:13:00

Did you find that code in several places on the internet, and decide to bolt it together and hope it would work? Because that is certainly what it looks like...

That code won't work.

You need to go back a stage or two and rethink how you are doing things here: start by reading this: Password Storage: How to do it.[^] which "prepares" passwords for you to store and compare, then try this:

C#

using (SqlConnection con = new SqlConnection(strConnect))
    {
    con.Open();
    using (SqlCommand cmd = new SqlCommand("SELECT password FROM myTable WHERE UserName=@UN", con))
        {
        cmd.Parameters.AddWithValue("@UN", usernameTextBox.Text);
        using (SqlDataReader reader = cmd.ExecuteReader())
            {
            if  (reader.Read())
                {
                byte[] password = (byte[])reader["password"];
                // ...and check the password here
                }
            }
        }
    }