Error "check the manual that corresponds to your MySQL server version"

Question

Hello I'm having a bit of a problem with my code.. I get this error and it depends on

myReader =  SelectCommand.ExecuteReader();

I really don't understand it.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''password' at line 1

MySqlConnection conn = new MySqlConnection("secretstring")
        MySqlCommand SelectCommand = new MySqlCommand("SELECT * FROM userspassword where'" + this.loginuser.Text + "'and password'" + this.passworduser.Text, conn);
        MySqlDataReader myReader;
        conn.Open();
        //myReader = SelectCommand.ExecuteReader();
        myReader =  SelectCommand.ExecuteReader();


        int count = 0;
        while (myReader.Read())
        {
            count = count + 1;
        }
        if (count == 1)
        {
            MessageBox.Show("Correct");
            Form2 pannel = new Form2();
             pannel.Show();
             Hide();

        }
        else if (count > 1)
        {
            MessageBox.Show("More then 1 user logged in");
        }
        else
            MessageBox.Show("Incorrect password or username");
        conn.Close();

Answer 1

This is apparently not the case for the one who asked the question, but for everyone else having this error: make sure you did not name your column with existent SQL keywords. KEY and index are most probable. List of SQL keywords.

Answer 2

Missing the field name for the user to compare

 MySqlCommand SelectCommand = new MySqlCommand("SELECT * FROM userspassword where " +  
        "username = '" + this.loginuser.Text + "' and password = '" + 
         this.passworduser.Text +"'" , conn);

and also some spaces between the fields and the values and the closing quotes.

Said that let me point you to the danger of string concatenation. If one of your textboxes contains a single quote the command will fail with a syntax error, or, if you have a malicious user, he/she could prepare a Sql Injection attack inserting sql text in the input boxes.

You should write a parameterized query like this

 MySqlCommand SelectCommand = new MySqlCommand("SELECT * FROM userspassword where " +  
        "username = @uname and password = @pwd", conn);
 SelectCommand.Parameters.AddWithValue("@uname",this.loginuser.Text); 
 SelectCommand.Parameters.AddWithValue("@pwd",this.passworduser.Text); 
 myReader =  SelectCommand.ExecuteReader();

There is another problem relative to the storage of the password in clear text on the database. Is another thing to avoid from the security point of view. You should store an hash of the password, apply the hash function to the user input text and pass this hash value as parameter to check against the database field

Answer 3

You have a spacing problem and are missing a column name:

MySqlCommand SelectCommand = 
    new MySqlCommand("SELECT * FROM userspassword where username='" 
                     + this.loginuser.Text + "' and password='" 
                     + this.passworduser.Text +"'", conn);

BTW - You have a potential SQL injection problem here

Answer 4

You are missing column name in your where clause on your query.

"SELECT * FROM userspassword where'" + this.loginuser.Text
                                   ^^^^^^^ Column name is missing..

Try like;

MySqlCommand SelectCommand = new MySqlCommand("SELECT * FROM userspassword where " + "YourColumnName = '" + this.loginuser.Text + "' and password '" + this.passworduser.Text +"'" , conn);

But more important part is, you should always use parameterized queries. This kind of string concatenations are causes SQL Injection attacks.

You can read How does the SQL injection from the "Bobby Tables" XKCD comic work?