Why can't I login even with correct credentials?

Question

0.00/5 (No votes)

See more:

Hi! I'm using Visual Studio 2017. I wanted to make a login window form with database. I have googled & watched many YouTube videos teaching how to do it. I followed instructions BUT!!! 2 ISSUES!!

What I have tried:

1. Most videos do it this way:

private void btnLogin_Click(object sender, EventArgs e)
{
    SqlConnection sqlcon = new SqlConnection(@"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\run_h\OneDrive\Documents\LoginDB.mdf;Integrated Security=True");
    string query = "SELECT count(*) FROM [tblLogin] WHERE username = ' " +txtUsername.Text.Trim()+ " ' and password = ' " +txtPassword.Text.Trim()+" ' ";
    SqlDataAdapter sda = new SqlDataAdapter(query, sqlcon);
    DataTable dtbl = new DataTable();
    sda.Fill(dtbl);
    if(dtbl.Rows[0][0].ToString() == "1")
    {
        frmMain objfrmMain = new frmMain();
        this.Hide();
        objfrmMain.Show();
    }
    else
     {
        MessageBox.Show("Try again next time.");
    }
}

Issue: That ^ method will give me the else statement results even after I put in the correct credentials. Then, I read some comments and the alternative solution was-

2. Alternative solution:

private void btnLogin_Click(object sender, EventArgs e)
{
    SqlConnection sqlcon = new SqlConnection(@"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\run_h\OneDrive\Documents\LoginDB.mdf;Integrated Security=True");
    string query = "SELECT count(*) FROM [tblLogin] WHERE username = ' " +txtUsername.Text.Trim()+ " ' and password = ' " +txtPassword.Text.Trim()+" ' ";
    SqlDataAdapter sda = new SqlDataAdapter(query, sqlcon);
    DataTable dtbl = new DataTable();
    sda.Fill(dtbl);
    if(dtbl.Rows.Count > 0)
    {
        frmMain objfrmMain = new frmMain();
        this.Hide();
        objfrmMain.Show();
    }
    else
     {
        MessageBox.Show("Try again next time.");
    }
}

Issue: The alternative solution, allows me to log in and the next form will appear when I did not put any credentials, AS WELL AS, putting the wrong credentials WHEN THEY SHOULD NOT.

----

I seriously have no idea how to fix it anymore. Does anyone know how to fix this? I really appreciate any guidance. Thank you in advance!!

Videos that I have followed:

Create Login Window in C# Using Sql Server - YouTube[^]

How to Create Login Form in C# with Database in Visual Studio?[With Source Code] - YouTube[^]

----

Posted 14-Aug-18 21:52pm

Noob4C0des

Updated 14-Aug-18 23:06pm

v2

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2018-08-14T22:04:00

If I was to sit down and write a "how not to do it" for logging in, this code could front the book - so many bad ideas in so few lines of code ...
Firstly, I can bypass your password protection at will and log in as any user without a password, just by typing any username, followed by "';--" as my username. This is called SQL Injection and it leads to users deleting your DB.
Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'

The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'

Which SQL sees as three separate commands:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'x';

A perfectly valid SELECT

SQL

DROP TABLE MyTable;

A perfectly valid "delete the table" command

SQL

--'

And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
Fix that throughout your app - leave one in and it's "bye bye baby" to your data.

Secondly, never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^]

Third, Why retrieve columns you aren't going to use? Never use SELECT * FROM unless you want all the columns - it's wasteful, and in this case unnecessary because if you used SELECT COUNT(*) FROM instead, you could use ExecuteScalar instead of a DataTable and get just the count you are interested in directly.

Fourth, how many users does your system allow to have the same username and password? Because if it isn't at least 2 then you will never log anyone in:

C#

if(dtbl.Rows.Count > 1)

F-ES Sitecore · Answer 2 · 2018-08-14T23:07:00

string query = "SELECT count(*) FROM [tblLogin] WHERE username = ' " +txtUsername.Text.Trim()+ " ' and password = ' " +txtPassword.Text.Trim()+" ' ";

You need to learn to use the debugger. If you have "admin" in txtUsername and "password" in txtPassword and run the above code, use the debugger to look at the contents of "query". It will be

SELECT count(*) FROM [tblLogin] WHERE username = ' admin ' and password = ' password '

Spaces are characters too, they are not ignored, does every username and every password in your system have a leading and trailing space?

' admin '

is not the same as

'admin'

Why can't I login even with correct credentials?

2 solutions

Solution 1

Solution 2

Add your solution here

Preview 0