SQL to C# Login query

https://stackoverflow.com/questions/9270365

29-04-2021
|

Pergunta

hi i searched a lot about this subject and i can't seem to understand most of the coding done by the users, i m good with the 'Boarland C++ builder' and have good experience with it, but i can't seem to get to the bottom of the MSVS C# 2008, anywhos, my problem consist with the Login SQL Query, if thats the correct name for it, it seem that none of the searched and found solution work at all, here's part of my code "

using System.Data.Sql;

using System.Data.SqlClient;

namespace DMSTestLoginForm

{

public partial class Form1 : Form
{
    public Form1()
    {
        InitializeComponent();
    }

    private void Form1_Load(object sender, EventArgs e)
    {
        string connection = @"Data Source=.\SQLExpress;AttachDbFilename=|Data Directory is all set and ready to go|.mdf;Integrated Security=True;User Instance=True";
        SqlConnection con = new SqlConnection(connection);

        try
        {
            con.Open();
            //MessageBox.Show("Connection Successful");
        }
        catch (Exception)
        {
            //MessageBox.Show("Did not connect"); // connection is successful the issue is down bellow.
        }
    }

    private void lgnbtn_Click(object sender, EventArgs e)
    {
        string dummyun = uninput.Text;
        string dummypw = pwinput.Text;
        SqlCommand dummy1 = new SqlCommand("SELECT * FROM nurse WHERE n_id ='"+uninput.Text+"'");
        SqlCommand dummy2 = new SqlCommand("SELECT * FROM nurse WHERE n_pw = '"+pwinput.Text+"'");
        string dum = Convert.ToString(dummy1);
        string dum2 = Convert.ToString(dummy2);
        if((dum==dummyun)&&(dum2==dummypw))
            MessageBox.Show("Welcome in");        //this message is to test if i logged in or not.
            //Form2 Loggedin = new Form2;
            //Loggedin.Show();
       else
            MessageBox.Show("Login failed"); 

    }

the problem is not with my connection string its actually and as i mentioned above with the SQL query to check if the username/password consist in my DB.table; which is " nurse ", or not, i know i created lots of " string " instances, but i reached a desperate situation and will be Very thankful for the solution provider(s), thanks in advance.

Solução

you need to Execute your SqlCommand Object with A Datareader. and try to use Parametrized queries . SqlDatareader

private void lgnbtn_Click(object sender, EventArgs e)
    {
        string dummyun = uninput.Text;
        string dummypw = pwinput.Text;
        con.Open();

        using(SqlCommand StrQuer = new SqlCommand("SELECT * FROM nurse WHERE n_id=@userid AND n_pw=@password", con))
        {
           StrQuer.Parameters.AddWithValue("@userid",dummyun);
           StrQuer.Parameters.AddWithValue("@password",dummypw);
         SqlDataReader dr = StrQuer.ExecuteReader(); 
         If(dr.HasRows)
         {
           MessageBox.Show("loginSuccess");    
         }
        else
        {
          //invalid login
        } 
     }   
    }

Outras dicas

A SqlCommand is not something that you simply call Convert.ToString on. It has methods that you need to call in order to get the expected results.

You need to call a method like ExecuteReader and read back the results. And you should probably change your query to one query instead of two separate queries. Finally, as @SLaks has pointed out, you don't want to make yourself vulnerable to sql-injection so try to write your query as a parameterized query, and add your parameters through the SqlCommands Parameters property.

It's a magical code for login button. This will also make visible labels with error message.

private void btnlogin_Click(object sender, EventArgs e)
        {
            SqlConnection con = new SqlConnection(@"PASTE_YoURCONNECTION_STRING_HERE"); 
            SqlDataAdapter usr = new SqlDataAdapter("SELECT COUNT(*) FROM login WHERE username='" + textBox1.Text + "'", con);
            SqlDataAdapter pswd = new SqlDataAdapter("SELECT COUNT(*) FROM login WHERE password='" + textBox2.Text + "'", con);
            DataTable dt1 = new DataTable(); //this is creating a virtual table  
            DataTable dt2 = new DataTable();
            usr.Fill(dt1);
            pswd.Fill(dt2);
            if (dt1.Rows[0][0].ToString() == "1" && dt2.Rows[0][0].ToString() == "1")
            {
                this.Hide();
                new mainform().Show();
            }
            else if (dt1.Rows[0][0].ToString() != "1" && dt2.Rows[0][0].ToString() != "1")
            {
                usrerror.Visible = true;
                pswrderror.Visible = true;
            }
            else if (dt1.Rows[0][0].ToString() == "1" && dt2.Rows[0][0].ToString() != "1")
            {
                usrerror.Visible = false;
                pswrderror.Visible = true;
            }
            else if (dt1.Rows[0][0].ToString() != "1" && dt2.Rows[0][0].ToString() == "1")
            {
                usrerror.Visible = true;
                pswrderror.Visible = false;
            }               
        }

See screenshot

Licenciado em: CC-BY-SA com atribuição

Não afiliado a StackOverflow