How to check whether the username and password are matching or not which are already stored in database SQL server using C# code

Question

1.00/5 (3 votes)

See more:

if the username and password are matching then only the person must be able to login.otherwise invalid password or username (they are not matching which are already stored in database)

What I have tried:

SqlConnection con = new SqlConnection(@"Data Source=DESKTOP-T09HLQF;Initial Catalog=HMIS_LOGIN_SCREEN ;PASSWORD=Secret;Integrated Security=True;");
con.Open();
String s = "SELECT count(*) FROM HOME_LOGIN-PAGE WHERE USER_NAME='" + textBox1.Text + "' AND PASSWORD='" + textBox2.Text + " '";
// Username='" + Username + "' AND Password='" + Password + "'"
SqlCommand cmd = new SqlCommand(s, con);
con.Open();
Object obj = cmd.ExecuteScalar();
con.Close();
if (obj != null)
{
this.Hide();
Form2 f = new Form2();
f.Show();
}
else
{
MessageBox.Show("SORRY USERNAME OR PASSWORD IS INVALID");
}

Posted 16-Apr-17 21:34pm

saimanisha

Updated 16-Apr-17 23:21pm

Add a Solution

Comments

Richard MacCutchan 17-Apr-17 3:55am

So, you are storing passwords in your database in clear text. Please let us know what organisation you work for so we can ensure we never deal with it.

Philippe Mori 18-Apr-17 18:38pm

In addition to other comments, make some effort when you ask a question. Properly format code would usually take less than a few seconds.

Obviously, you should not do authentification code until you learn about SQL injection and properly hashing passwords...

2 solutions

Solution 1

Not like that!
Firstly, because that code it wide open to abuse: Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead. Concatenation in your login means that anyone can bypass your security if they want, pretend to be you perhaps; or delete your database just by typing in a textbox.
Secondly, because you should never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^]
Also see here: Code Crimes Number 1[^]

And BTW:
1) Do yourself a favour, and stop using Visual Studio default names for everything - you may remember that "TextBox8" is the mobile number today, but when you have to modify it in three weeks time, will you then? Use descriptive names - "tbMobileNo" for example - and your code becomes easier to read, more self documenting, easier to maintain - and surprisingly quicker to code because Intellisense can get to to "tbMobile" in three keystrokes, where "TextBox8" takes thinking about and 8 keystrokes...
2) Don't "hard code" connections strings either. Always store them in configuration or settings files.
3) Connections and Commands are scarce resources: they should be Closed and Disposed when you are finished with them. I'd suggest a using block for both.

Posted 16-Apr-17 21:55pm

OriginalGriff

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

sarathtamil · Accepted Answer · 2017-04-16T23:20:00

Solution 2

string query="Select USER_NAME,PASSWORD From HOME_LOGIN-PAGE where USER_NAME='"+textBox1.Text+"' and PASSWORD='"+textBox2.Text+"'";
SqlCommand cmd=new SqlCommand(query,con);
SqlDataReader dr=cmd.ExecuteReader();
if(dr.Read())
{
this.Hide();
Form2 f = new Form2();
f.Show();
}
else
{
MessageBox.Show("invalid login");
}

Posted 16-Apr-17 23:20pm

sarathtamil

Comments

CHill60 17-Apr-17 10:16am

Never use concatenated strings to create Sql Commands. Use parameterized queries. If you were going to foolishly store passwords in plain text then that code should be

string query="Select USER_NAME,PASSWORD From HOME_LOGIN-PAGE where USER_NAME=@log and PASSWORD=@pass";
SqlCommand cmd=new SqlCommand(query,con);
cmd.Parameters.AddWithValue("@log", textBox1.Text);
cmd.Parameters.AddWithValue("@pass", textBox2.Text);
SqlDataReader dr=cmd.ExecuteReader();

But you never, ever store passwords as clear text. See the links in solution 1 for how to do it properly