Have a exception unhandled with Login window

Question

I make a window for login in c# win.form. I connect it to my database sql to table named Table. When i press on the button login:

 private void button1_Click(object sender, EventArgs e)
    {
        SqlConnection con = new SqlConnection(@"Data Source=DESKTOP-F3KNAHJ;Initial Catalog=Login;Integrated Security=True");

        string query = "Select * from Table Where username='" + textBox1.Text.Trim() + "' and password='" + textBox2.Text.Trim()+"'";
        SqlDataAdapter sda = new SqlDataAdapter(query, con);
        DataTable dt = new DataTable();
        sda.Fill(dt);
        if(dt.Rows.Count==1)
        {
            main objmain = new main();
            this.Hide();
            objmain.Show();
        }
        else
        {
            MessageBox.Show("Check your username or password");
        }

i have : System.Data.SqlClient.SqlException: 'Incorrect syntax near the keyword 'Table'.'

additional to that. please, please do not build sql with concatenation. Use parameterized sql instead. And do not store password in plain text, hash + salt that plz — Steve, Jul 16 '18 at 18:05
Note that there is *a lot* wrong here. For the problem at hand, you're using `Table` for your table name. It seems pretty likely that any given RDBMS is going to have that word reserved. Consider using a more specific name. You can also "escape" the name. In SQL Server that would be with square brackets: `SELECT * FROM [Table] ...` Aside from that, your code is also *wide open* to **SQL injection**, you should be using query parameters instead of *executing user input as code*. And aside from that, you're also *storing user passwords in plain text* which is **grossly irresponsible**. — David, Jul 16 '18 at 18:06

Ehsan Sajjad · Answer 1 · 2018-07-16T18:13:07.503

If you really have named your table as Table. Then, you should know that Table is also a reserved word in sql you should had wrapped it in square brackets like [Table] so that it know you mean the table name not the keyword table.

Secondly, you should not be doing string concatenation for queries as it opens up your application for sql injection attack. You should be using parameterized queries, you can look up how to write parameterized queries.

Another thing is you should not be storing passwords as plain text in the database, instead you should be encrypting those and storing that so that in case of any information leakage no one's credentials get compromised. Please have a look at this post as example.

Side Note: Another thing is you can add try and catch blocks to do exception handling so that in case of any exception your applications does not crashes and returns some meaningful message describing what could have gone wrong.

should also include the parameterized sql + password salt hash in the answer IMO — Steve, Jul 16 '18 at 18:06
@Steve yes, there are multiple problems in the code, newbies things :) — Ehsan Sajjad, Jul 16 '18 at 18:12

score 0 · Answer 2 · answered Jul 16 '18 at 18:18

For a desktop application, there's no need to reinvent the authentication process.

Just have your database table include the list of windows users and their permissions.

Use Environment.Username to grab the username and make sure you have a match in the table against that username. You don't need to even give them a login form.

Still good to use a parameterized query.

Have a exception unhandled with Login window

2 Answers2