C# and SQL Server : conditional statement for tables

Question

I have a program that uses administrator and employee login. I have two tables in SQL Server named Admin and Employee.

I only have one login window. I have two forms AdminForm and EmpForm. When username and password are entered, I want to read the two tables.

• If username and password belongs to the table Admin, then it will show the AdminForm
• but when username and password belong to table Employee, it will show the EmpForm

I'm new to SQL Server. Is there anyway Was it possible? As of now, this my code:

private void btnLogin_Click(object sender, EventArgs e)
{    
    using (var connect = sqlcon.getConnection())
    {
         using (SqlCommand cmd = new SqlCommand("SELECT * FROM administrator WHERE username = @username AND password = @password"))
         {
              cmd.Connection = connect;
              connect.Open();
              cmd.Parameters.Add("@cusername", SqlDbType.Char).Value = tbUsername.Text;
              cmd.Parameters.Add("@cpassword", SqlDbType.Char).Value = tbPassword.Text;
              using (SqlDataReader re = cmd.ExecuteReader())
              {
                 if (re.Read())
                 {
                 }
                 else
                 {
                 }                               
             }                        
        }
    }
}

Answer 1

I used rights for admin and employee and coded it. Thanks for all idea! For someone need it, please refe to the code below. Don't forget to encrypt your passwords.

 private void btnLogin_Click(object sender, EventArgs e)
    {
        using (var connect = sqlcon.getConnection())
        {
            using (SqlCommand cmd = new SqlCommand("SELECT rights FROM employee WHERE username = @username AND password = @password"))
            {
                cmd.Connection = connect;
                connect.Open();
                cmd.Parameters.Add("@username", SqlDbType.Char).Value = tbUsername.Text;
                cmd.Parameters.Add("@password", SqlDbType.Char).Value = tbPassword.Text;
                //SqlDataReader re = cmd.ExecuteReader();
                string aeRights = (string)cmd.ExecuteScalar();

                if (aeRights == "1")
                {
                    frmAdmin frmA = new frmAdmin();
                    frmA.Show();
                    this.Hide();
                }

                else if (aeRights == "2")
                {
                    frmEmp frmE = new frmEmp();
                    frmE.Show();
                    this.Hide();
                }

                else if (string.IsNullOrEmpty(aeRights))
                {
                    MessageBox.Show("Invalid username or password! Please try again", "Warning", MessageBoxButtons.OK, MessageBoxIcon.Warning);
                }
            }              
        }
    }

Answer 2

Your query can work like this:

Select [EntityType] =1 , SurrogateKey = EmployeeKey, LastName, FirstName from dbo.Employee where (blah blah blah)
UNION ALL
Select [EntityType] = 2, SurrogateKey = AdminKey, LastName, FirstName from dbo.Admin where (blah blah blah)

Then you'll have a way to distinguish the rows....and you can make a decision if you get 2 rows back. EmployeeKey and AdminKey (whatever your PK names are) would have to be the same datatype. (LastName and FirstName as well, you can only UNION/UNION ALL if all the datatypes match.

..............

Having said that..........you have "mixed" alot of concerns. Create a DataLayer that returns some kind of POCO object that has the necessary values. A button_click and a SqlConnection should not be in the same code.

pubic class LoginResult()
{
public int EntityType {get;set;}
public int SurrogateKey {get;set;}
public string LastName{get;set;}
public string FirstName{get;set;}
}


public interface IAccountManager
{
LoginResult AttemptLogin (string userName, string password)
}
public class IAccountManager() : IAccountManager
{
public LoginResult AttemptLogin (string userName, string password)
{
// put your SqlConnection/SqlReader code here
// do not put any "logic" "if checks" etc....the concern here is to only create the object
}
}

That's a little better to separate concerns. Google "C# Layers" for more discussion.

Answer 3

The schema is wrong. Combine the two tables into a single Users table with an additional column indicating which role the user belongs to.

Answer 4

As others have said, this is not the correct way to do usernames / passwords. But the answer to your question would be to use a union, like:

         using (SqlCommand cmd = new SqlCommand("SELECT 1 as IsAdmin, * 
FROM administrator 
WHERE username = @username AND password = @password 
    UNION ALL 
SELECT 0 as IsAdmin, * 
FROM employees 
WHERE username = @username AND password = @password "))

Answer 5

You need 2 sql queries which take parameters user name and password, one query return objects of admin another query return object employee if inserted parameters are correct, otherwise they return null.

Try to initialize objects of Admin and Employee with results of those 2 queries. Than test

if(admin != null) open AdminForm. else if(employee != null) open EmpForm. else - show message incorrect user name or/and password.

Soner Gönül is right try using hashing with or without salt for not storing password in clear text.