CODEWITHSUNDEEP
c#sqlsql-serverdatabase
user2040978
user2040978

Reputation: 35

form validation using c# and sql commands

i am trying to make a windows form to log into another one, i am using a database with users and passwords the code is as follows:

private void button1_Click(object sender, EventArgs e)
{
    SqlConnection conn = new SqlConnection("Data Source=mmtsql.XXX.XXXX.XX.XX;Initial Catalog=mmtXX-XXX;User ID=mmtXX-XXX;Password=mmtXX-XXX");
    conn.Open();
    SqlCommand mycommand = new SqlCommand("SELECT User, Password FROM UsersData WHERE User = '" + textBox1.Text + "' and Password = '" + textBox2.Text + "'", conn);
    SqlDataReader reader = mycommand.ExecuteReader();
    if(reader != null) 
    {
        if(reader.Read())
        {
            Form1 formload = new Form1();
            formload.Show();
        }
        else
        {
            label3.Text = "Invalid Username or Password !";
        }
    }
    else
    {
        label3.Text = "Invalid Username or Password !";
    }

the problem that a getting is that no matter what i insert into the textboxes, right or wrong i am getting:

Invalid Username or Password !

is there anyway to fix my code? regards;

Upvotes: 0

Views: 1652

Answers (2)

Mike C.
Mike C.

Reputation: 3114

I would do it this way, keeping to the method you are using:

private void button1_Click(object sender, EventArgs e)
{
    SqlConnection conn = new SqlConnection(conn_str);
    conn.Open();
    string sql = "SELECT User, Password 
        FROM UsersData WHERE User=@user and Password=@password"
    SqlCommand mycommand = new SqlCommand(sql, conn);
    //parameterize your query!
    mycommand.Parameters.AddWithValue("user", txtuser.text);
    mycommand.Parameters.AddWithValuye("password", txtpassword.password);

    SqlDataReader reader = mycommand.ExecuteReader();
    if(reader == null)
    {
        label3.Text = "Database query failed!";
    }
    else if(reader.HasRows)
    {
        Form1 formload = new Form1();
        formload.Show();
    }
    else
    {
        label3.Text = "Invalid Username or Password !";
    }

Upvotes: 1

DevelopmentIsMyPassion
DevelopmentIsMyPassion

Reputation: 3591

Use parameterized queries as they will help you against sql injection as mentioned by SLaks. Change your code to below

using (SqlCommand command = new SqlCommand("SELECT User, Password 
    FROM UsersData WHERE User=@user and Password=@password", connection))
    {
    //
    // Add new SqlParameter to the command.
    //
    command.Parameters.Add(new SqlParameter("user ", textbox1.text));
            command.Parameters.Add(new SqlParameter("password", textbox2.text));

    SqlDataReader reader = command.ExecuteReader();
            if (reader == null)

    {
      Form1 formload = new Form1();
              formload.Show();    
    }
            else
            {
              label3.Text = "Invalid Username or Password !";    
            }
   }

Upvotes: 0

Related Questions