Retrieving user password from DB

Question

I have a table that has a list of user names and passwords and I want to match the the user name and password the user enter with the one saved in the DB. The code I am using only retrieves the login information of the first record in the users table, how can I change that so the code would work for all user.

I am a beginners at VS and I am trying to learn the basics so later on I will be implementing more complex login page with encryption.. Thank you

 private void btnLogin_Click(object sender, EventArgs e)
    {
        SqlConnection cn = new SqlConnection();
        SqlCommand cmd = new SqlCommand();
        SqlDataReader dr;

        cn.ConnectionString = "Server=;Database=;User Id=naljalid;Password=";
        cmd.Connection = cn;
        string username = tbxUserName.Text;
        cmd.CommandText = "SELECT UserPassword FROM tblLoginProject WHERE UserName=username";

        // open a connection to DB
        cn.Open();

        //read the table
        dr = cmd.ExecuteReader();

        //read a record from te data reader
         dr.Read();

        // compare the passwords


       if (tbxPassword.Text == dr.GetString(0))
         {
             MessageBox.Show("Hello");
        }

        else
        {
            MessageBox.Show("Login failed, please re-enter your password");
        }
    }

Answer 1

Change the query a tidge to this:

cmd.CommandText = "SELECT UserPassword FROM tblLoginProject WHERE UserName = @username";

and then set that parameter value:

cmd.Parameters.AddWithValue("@username", tbxUserName.Text);

That will get you the row for the user you're looking for. Now on to a few more recommendations. The ADO.NET classes implement the IDispoable interface. That interface identifies that the class uses some unmanaged resources. You want to make sure those get disposed. Consider the following rewrite of your current code:

using (SqlConnection cn = new SqlConnection("Server=;Database=;User Id=naljalid;Password="))
using (SqlCommand cmd = new SqlCommand("SELECT UserName FROM tblLoginProject WHERE UserName = @username AND Password = @password", cn))
{
    cn.Open();

    cmd.Parameters.AddWithValue("@username", tbxUserName.Text);
    cmd.Parameters.AddWithValue("@password", tbxPassword.Text);

    var result = cmd.ExecuteScalar() as string;
    if (string.IsNullOrEmpty(result))
    {
        // user was not found
    }
    else
    {
        // user was found
    }
}

It leverages the using statement to ensure that the objects get disposed.

Answer 2

The key to this is the SQL query, specifically the WHERE clause:

SELECT UserPassword FROM tblLoginProject

This query will return all the passwords from the database. But you want to retrieve the password of only one user, so you need to implement a WHERE clause

SELECT UserPassword FROM tblLoginProject WHERE UserName = @username

This query will retrieve the password for only a certain user where the value of the field UserName equals the value passed in the parameter @username. So now we need to make sure to pass that value. You can't just include it in the SQL query like you're doing right now. We do it like this:

cmd.Paramateres.AddWithValue("@username", username);

This should work fine, but for best practices you should check for both username and password at the same time:

SELECT count(*) FROM tblLoginProject WHERE UserName = @username AND UserPassword = @password

Then of course we pass both values:

cmd.Paramateres.AddWithValue("@username", username);
cmd.Paramateres.AddWithValue("@password", password);

This will return 0 if no users are found with that combination of username and password (invalid login), or more than 0 if such a user was found (valid login).

Next stop you should research hashing passwords. After that would be salting these hashes. Good luck!