Reputation: 31
Reading username and password from database
I'm looking for a way to match username and password entered by the user in the WinForm Application to the username and password stored in the database. When a user enters a wrong username or password, I recieve:
object reference not set to an instance object Yes, I know this is not the safest way to save passwords and I'm taking a course on security as at now
Could anyone help?
Code for the login button
private void BtnLogin_Click(object sender, EventArgs e)
{
try
{
if (isFormValid())
{
if (isLoginUsernameCorrect())
{
if (isLoginRoleCorrect())
{
if (PublicRole == "Administrator")
{
MessageBox.Show("Admin Mode", "Administrator", MessageBoxButtons.OK, MessageBoxIcon.Information);
}
if (PublicRole == "Secretary")
{
MessageBox.Show("Secretary Mode", "Secretary", MessageBoxButtons.OK, MessageBoxIcon.Information);
}
if (PublicRole == "Financial")
{
MessageBox.Show("Financial Mode", "Financial", MessageBoxButtons.OK, MessageBoxIcon.Information);
}
}
}
}
}
catch (Exception ex)
{
MessageBox.Show("Oops, there was an error \n"+"Error: "+ ex.Message,"Login Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
Code for bool isFormValid:
private bool isFormValid()
{
if (txtUsername.Text.Trim() == string.Empty || txtPassword.Text.Trim() == string.Empty)
{
MessageBox.Show("User Name and Password both are required..", "Enter User Name and Password", MessageBoxButtons.OK, MessageBoxIcon.Error);
return false;
}
else
{
return true;
}
}
bool isLoginUsernameCorrect() and isLoginRoleCorrect():
string PublicRole;
private bool isLoginRoleCorrect()
{
cmd = new SqlCommand("Select Access from Userlogins where Username=@user and Credential=@pass", con);
cmd.Parameters.AddWithValue("@user", txtUsername.Text);
cmd.Parameters.AddWithValue("@pass", txtPassword.Text);
string RoleId = cmd.ExecuteScalar().ToString();
PublicRole = RoleId;
if (RoleId != "Administrator"|| RoleId != "Financial" || RoleId != "Financial")
{
MessageBox.Show("UserName or Password is Incorrect.", "Incorrect Login Details", MessageBoxButtons.OK, MessageBoxIcon.Error);
return false;
}
else
{
return true;
}
}
private bool isLoginUsernameCorrect()
{
cmd = new SqlCommand("Select username from Userlogins where username=@user and Credential=@pass",con);
cmd.Parameters.AddWithValue("@user", txtUsername.Text);
cmd.Parameters.AddWithValue("@pass", txtPassword.Text);
string User = cmd.ExecuteScalar().ToString();
if (User == string.Empty.Trim() || User == null)
{
MessageBox.Show("Incorrect Username and Password", "Incorrect Details", MessageBoxButtons.OK, MessageBoxIcon.Error);
return false;
}
else
{
return true;
}
}
Upvotes: 0
Views: 345
Answers (1)
Reputation: 3162
Ok, please for the sake of your employer and/or customers stop and do some basic research into software development and security practices. You have passwords in your database in plaintext. That is among the most serious possible security violations you could implement. Seriously someone at my employer would be fired on the spot for doing this.
The 'correct' way to manage passwords is to store a cryptographic one-way hash of a salted version of the password in your database. A basic summary of the technique is available here: https://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/, but honestly, you should probably just go out and take a security course.
Upvotes: 1
Related Questions
- Read data from a database in C#
- Get a string value from SQL Server database
- How to find username and passwords in SQL table using C#
- Login and password program
- How can I get a username and password from my database in C#?
- Login and password in asp
- how to understand what is the username and password of a database
- Retrieving user password from DB
- Querying a database for username and password
- Authenticating a SQL account user name and password in ASP.NET