Reputation: 14992
C# Code error with SQL Server stuff
I was using Access database on my application and I switched to SQL Server, but it is not working properly... This is a Login screen, the Connect button click event.
When I connect it just skips and closes the login window with whatever info I put in it.
This is the error I'm getting. It's red at the cmd field, and I don't know why.
https://i.sstatic.net/gJ5hm.png
Code:
private void btnconectar_Click(object sender, EventArgs e)
{
if (!(empty(boxlogin.Text) && empty(boxsenha.Text)))
{
SqlCommand cmd = new SqlCommand("SELECT * from Usuarios where StrCmp(login, '" + boxlogin.Text + "')=0 and StrCmp(senha, '" + boxsenha.Text + "')=0",connection);
cmd.CommandType = CommandType.Text;
cmd.CommandTimeout = 15;
connection.Open();
SqlDataReader reader = cmd.ExecuteReader();
if (reader.Read())
{
nome = reader["nome"].ToString();
login = reader["login"].ToString();
senha = reader["senha"].ToString();
msg("Login realizado com sucesso!\nBem vindo(a), " + nome.Substring(0, nome.IndexOf(" ")),Color.Green, false);
connection.Close();
timer4.Start();
}
else
{
msg("Usuário e/ou senha incorretos!", Color.Red, false);
}
}
else msg("Os campos não podem ficar em branco!", Color.Red, false);
connection.Close();
}
Output after execution:
A first chance exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll 'WindowsFormsApplication1.vshost.exe' (CLR v4.0.30319: WindowsFormsApplication1.vshost.exe): Loaded 'C:\Windows\Microsoft.Net\assembly\GAC_MSIL\mscorlib.resources\v4.0_4.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dll'. Module was built without symbols.
Upvotes: 2
Views: 268
Answers (2)
Reputation: 700432
As you get an SqlException, the problem is not at the line that is marked. It will be in the line with ExecuteReader, where the query is executed.
There is no StrCmp function in T-SQL, use the = operator to compare the strings.
You should use data parameters, the query is wide open for SQL injection attacks when you concatenate the values into the query without escaping them properly.
To require both fields to be filled in, you should use the || operator in the condition, not the && operator.
You are not closing the data reader, and you are closing the connection twice. You should dispose the command and the data reader. The most convenient way to handle that safely is using a using block.
You shouldn't use select * in production code. Select the fields that you want to get from the query.
private void btnconectar_Click(object sender, EventArgs e) {
if (!(empty(boxlogin.Text) || empty(boxsenha.Text))) {
using (SqlCommand cmd = new SqlCommand("SELECT nome, login, senha from Usuarios where login = @Login and senha = @Senha", connection)) {
cmp.Parameters.AddWithValue("@Login", boxlogin.Text);
cmp.Parameters.AddWithValue("@Senha", boxsenha.Text);
cmd.CommandType = CommandType.Text;
cmd.CommandTimeout = 15;
connection.Open();
using (SqlDataReader reader = cmd.ExecuteReader()) {
if (reader.Read()) {
nome = reader["nome"].ToString();
login = reader["login"].ToString();
senha = reader["senha"].ToString();
msg("Login realizado com sucesso!\nBem vindo(a), " + nome.Substring(0, nome.IndexOf(" ")),Color.Green, false);
timer4.Start();
} else {
msg("Usuário e/ou senha incorretos!", Color.Red, false);
}
}
} else {
msg("Os campos não podem ficar em branco!", Color.Red, false);
}
}
connection.Close();
}
Upvotes: 4
Reputation: 83709
I think the problem could be that StrCmp is not valid sql.
In SQL Server you can compare two varchar for equality using =.
Upvotes: 0