simple login C# and MySQL web application

StackOverflow https://stackoverflow.com/questions/20549172

Question

I Have a few bugs in my code, for some reason when I try to catch at the end it throws up errors saying it is missing lots of brackets although I don't think it is. could some one please let me know where I have gone wrong.

Code:

namespace login
{
   public partial class _Default : Page
   {
      // decleration of tabels and dataadapters including my connection string for my MySQL databse
      DataSet ds = new DataSet();
      MySqlConnection cs = new MySqlConnection(@"SERVER= ********;username=******;password=******;Allow Zero Datetime=true; Initial Catalog = benoatsc_GreenFilm");

      MySqlDataAdapter da = new MySqlDataAdapter();
      DataTable dt = new DataTable();
      String totalDonations = string.Empty;

      protected void Button1_Click(object sender, EventArgs e)
      {
         try
         {
            MySqlCommand SelectCommand = new MySqlCommand("select * from films.user where user_name='" + this.username.Text + "; and password='" + this.password.Text + "';", cs);
            MySqlDataReader myreader;
            cs.Open();
            myreader = SelectCommand.ExecuteReader();

            int count = 0;
            while (myreader.Read())
            {
               count = count + 1;
            }

            if (count == 1)
            {
               Response.Write(@"<script language='javascript'>alert('wow your in !!');</script>");
            }

            else if (count > 1)
            {
               Response.Write(@"<script language='javascript'>alert('duplicate');</script>");
            }

            else Response.Write(@"<script language='javascript'>alert('wrong password');</script>");

            cs.Close();
         }

         catch (Exception ex)
         {
            Response.Write(@"<script language='javascript'>alert(ex.message);</script>");
         }
      }
   }
}
Était-ce utile?

La solution

Problem 1: you have opened extra curley brace { after try block.
Problem 2: you have opened user_name parameter with single quotes but you have not closed with single quotes.

Solution 1: you need to remove extra curley brace opened after try block.
Solution 2: you need to enclose user_name parameter with single quotes properly.

Suggestion : your query is open to SQL Injection attacks, i would suggest to use parameterised queries to avoid this.

Complete Code: using parameterised queries

namespace login
{
public partial class _Default : Page
{
    // decleration of tabels and dataadapters including my connection string for my MySQL databse
    DataSet ds = new DataSet();
    MySqlConnection cs = new MySqlConnection(@"SERVER= ********;username=******;password=******;Allow Zero Datetime=true; Initial Catalog = benoatsc_GreenFilm");

    MySqlDataAdapter da = new MySqlDataAdapter();
    DataTable dt = new DataTable();
    String totalDonations = string.Empty;

    protected void Page_Load(object sender, EventArgs e)
    {

    }

    protected void Button1_Click(object sender, EventArgs e)
    {
        try
        {

                MySqlCommand SelectCommand = new MySqlCommand("select * from films.user where user_name=@username and password=@password;", cs);
                MySqlDataReader myreader;
                SelectCommand.Parameters.AddWithValue("@username",this.username.Text);
                SelectCommand.Parameters.AddWithValue("@password",this.password.Text);
                cs.Open();

                myreader = SelectCommand.ExecuteReader();

                int count = 0;
                while (myreader.Read())
                {
                    count = count + 1;
                }

                if (count == 1)
                {
                    Response.Write(@"<script language='javascript'>alert('wow your in !!');</script>");
                }

                else if (count > 1)
                {
                    Response.Write(@"<script language='javascript'>alert('duplicate');</script>");
                }

                else Response.Write(@"<script language='javascript'>alert('wrong password');</script>");

                cs.Close();
            }

            catch (Exception ex)
                 {
                 Response.Write(@"<script language='javascript'>alert(ex.message);</script>");
                 }//end of catch block

        }//end of try block
    }//end of class 
}//end of namespace

Autres conseils

Apart from missing brackets and wrong SQL query (contains semicolon) you can improve your code a lot. You can use ExecuteScalar and modify your query to COUNT(*). That way you don't have to count in your code. Also use using statement which will ensure the connection to be closed even in case of an exception. So your code should be on the following linesL

namespace login
{
    public partial class _Default : Page
    {
        // decleration of tabels and dataadapters including my connection string for my MySQL databse
        DataSet ds = new DataSet();
        MySqlConnection cs = new MySqlConnection(@"SERVER= ********;username=******;password=******;Allow Zero Datetime=true; Initial Catalog = benoatsc_GreenFilm");

        MySqlDataAdapter da = new MySqlDataAdapter();
        DataTable dt = new DataTable();
        String totalDonations = string.Empty;

        protected void Page_Load(object sender, EventArgs e)
        {

        }

        protected void Button1_Click(object sender, EventArgs e)
        {
            try
            {
                using (MySqlCommand SelectCommand = new MySqlCommand("select count(*) from films.user where user_name=@username AND password = @password", cs))
                {
                    SelectCommand.Parameters.AddWithValue("@username", username.Text);
                    SelectCommand.Parameters.AddWithValue("@password", password.Text);
                    cs.Open();
                    int count = (int)SelectCommand.ExecuteScalar();
                    if (count == 1)
                    {
                        Response.Write(@"<script language='javascript'>alert('wow your in !!');</script>");
                    }
                    else if (count > 1)
                    {
                        Response.Write(@"<script language='javascript'>alert('duplicate');</script>");
                    }

                    else Response.Write(@"<script language='javascript'>alert('wrong password');</script>");
                }
            }

            catch (Exception ex)
            {
                Response.Write(@"<script language='javascript'>alert(ex.message);</script>");
            }

        }
    }
}

Using parameters with command will save you from SQL Injection

Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top