0

I am attempting to create a login form using a username and password from a database table named "Table". I have watched several videos and looked at several other pages and can not seem to get the query to run correctly. My second try/catch block shows the message box "could not run query". Will someone look at my code to see what is wrong, please and thank you.

SqlConnection con = new SqlConnection();
string connectionString = @"Data Source=(LocalDB)\v11.0;AttachDbFilename=C:\Users\Donovan\Documents\Work\Time Clock program\Time Clock program1.2\Time Clock program\Database1.mdf;Integrated Security=True;Connect Timeout=30;";
string query = "SELECT Count(*) FROM [Table] WHERE Username='" + usernameTextBox.Text +
            "' AND Password = '" + this.passwordTextBox.Text + "'";
        try
        {
            con = new SqlConnection(connectionString);
        }
        catch(Exception ex)
        {
            MessageBox.Show("Could not connect to Database");
            MessageBox.Show(ex.Message);
        }

        try
        {
            if (!(usernameTextBox.Text == string.Empty))
            {
                if (!(passwordTextBox.Text == string.Empty))
                {
                    SqlCommand cmd = new SqlCommand(query, con);
                    SqlDataReader dbr;
                    con.Open();
                    dbr = cmd.ExecuteReader();
                    int count = 0;
                    while (dbr.Read())
                    {
                        count = count + 1;
                    }
                    if (count == 1)
                    {
                        MessageBox.Show("username and password is correct");
                    }
                    else if (count > 1)
                    {
                        MessageBox.Show("Duplicate username and password", "login page");
                    }
                    else
                    {
                        MessageBox.Show(" username and password incorrect", "login page");
                    }
                }
                else
                {
                    MessageBox.Show(" password empty", "login page");
                }
            }
            else
            {
                MessageBox.Show(" username empty", "login page");
            }
            // con.Close();

        }
        catch(Exception ex)
        {
            MessageBox.Show(ex.Message);

        }
Donovan Kight
  • 63
  • 11
  • 2
    What does the exception tell you? – Darren Jan 03 '16 at 15:23
  • @DarrenDavies I am not getting an exception at all. I just get my "try/catch block" message box. – Donovan Kight Jan 03 '16 at 15:25
  • 3
    You should use catch blocks like this as @DarrenDavies said: `catch(Exception ex){ MessageBox.Show(ex.Message); }` – st. Jan 03 '16 at 15:25
  • 1
    I think if the code reaches your exception catch, you should be able to display the exception code and description, that should help in knowing more about the problem.. – vmachan Jan 03 '16 at 15:25
  • You're swallowing the exception and hidding the real error. Make sure you can always get the underlying message, it tells clearly the root cause of error. – Alejandro Jan 03 '16 at 15:26
  • BTW, and somewhat unrelated, make sure you know who [Bobby Tables](http://bobby-tables.com/) is – Alejandro Jan 03 '16 at 15:28
  • thanks @st. I changed that exception box – Donovan Kight Jan 03 '16 at 15:31
  • You also want to try to catch the SqlException before the general exception as that will give you more information. – RBarryYoung Jan 03 '16 at 15:32
  • 1
    Thanks to a couple change it is not hitting the exception block anymore, now my textbox saying username and password is incorrect is popping up. – Donovan Kight Jan 03 '16 at 15:52

1 Answers1

4

My money is for Table is a reserved keyword in TSQL. You might wanna use it with [Table] instead. As a better way, change your table name to non-reserved word.

But more important, you should always use parameterized queries. This kind of string concatenations are open for SQL Injection attacks.

Do not store your passwords as a plain text. Read Best way to store password in database

Use using statement to dispose your connection and command automatically instead of calling Close or Dispose methods manually.

By the way, I strongly suspect you may wanna use SELECT COUNT(*).. with ExecuteScalar method since you don't do anything with other things.

Community
  • 1
  • 1
Soner Gönül
  • 97,193
  • 102
  • 206
  • 364
  • Okay, so I changed Table to [Table] and fixed my messagebox like st said. Now I am just getting a message box stating username and password are incorrect. Which I know they are correct. (for testing purposes I have the text auto populated. So the brackets definitely helped! – Donovan Kight Jan 03 '16 at 15:30
  • @DonovanKight Are you really sure? Did you try your command in your sql server? Is it returns any row in there? – Soner Gönül Jan 03 '16 at 15:46
  • My table is initially empty. When the program starts it asks the user to create a username and password. Once those are entered, the program adds the username and password to the table and then asks the user to log in using those credentials, (doing this as a somewhat tutorial to my program) The table is shown prior to asking the user to log in so I know the data is there. Don't worry this will all be changed, I am more testing it out right now and trying to learn at the same time. – Donovan Kight Jan 03 '16 at 15:50
  • I can not try the command(that I know of) since the table is initially empty. – Donovan Kight Jan 03 '16 at 16:03
  • Okay, so I thought it was working but it is not, now it is stating ""username and password is correct" even if I change the username and password to something incorrect. – Donovan Kight Jan 03 '16 at 16:21