private void button1_Click(object sender, EventArgs e)
{
try
{
string myconnection = @"Data Source=(LocalDB)\v11.0;AttachDbFilename=C:\Users\G_Anik\documents\visual studio 2012\Projects\Practise2\Practise2\Database1.mdf;Integrated Security=True";
SqlConnection mycon = new SqlConnection(myconnection);
SqlCommand SelectCommand = new SqlCommand("Select *from Database1.Login where UserName=' " + this.Username.Text + " ' and Password=' " + this.Password.Text + " ' ;", mycon);
SqlDataReader myReader;
mycon.Open();
myReader = SelectCommand.ExecuteReader();
int count = 0;
while (myReader.Read())
{
count = count + 1;
}
if (count == 1)
{
MessageBox.Show("UserName and Password is Correct");
}
else if (count > 1)
{
MessageBox.Show("Duplicate Username and Password.. Access DEnied");
}
else
MessageBox.Show("Username and password is Incorrect.Try Again");
mycon.Close();
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
Asked
Active
Viewed 669 times
-3
Saro Taşciyan
- 5,210
- 5
- 31
- 50
Oscar
- 9
- 1
- 2
2 Answers
1
This is a collection of "how-not-to-do-this" lines of code. Please read a good book or tutorial on:
- SQL in general (your quotes are wrong)
- SQL injection attacks (what happens if I put
'; DROP DATABASE; --into your textbox? Or maybe just' OR 1 == 1 --?) - password security in the database. See hashing.
- the IDisposible interface and using blocks
0
Try like this...
SqlCommand SelectCommand = new SqlCommand("Select *from Login where UserName=' " + this.Username.Text + " ' and Password=' " + this.Password.Text + " ' ;", mycon);
SqlDataReader myReader;
Nagaraj S
- 13,316
- 6
- 32
- 53