Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: C#
hi am want my login form to verify if the user name and password is in the database then it should display frmMain if not then it should display "Invalid UserName or Password"
 
it works if the Usre name and password is right but displays noting if Usre name and password is wrong
pls help me out
 

private void btnLogin_Click(object sender, EventArgs e)
        {
            if (string.IsNullOrEmpty(this.txtUsername.Text) | string.IsNullOrEmpty(this.txtPassword.Text))
            {
                MessageBox.Show("provide User Name and Password");
            }
 
            if (string.IsNullOrEmpty(cboUsertype.Text))
            {
                MessageBox.Show("Select User Type");
            }
            
 
            SqlConnection conn = new SqlConnection();
            conn.ConnectionString = "Data Source=pc101;Initial Catalog=SMS;User ID=sa;Password=mike";
            conn.Open();
 
            string UserName = txtUsername.Text;
            string Password = txtPassword.Text;
            string UserType = cboUsertype.Text;
 
            SqlCommand cmd = new SqlCommand("SELECT * FROM tbluser WHERE username = '" + txtUsername.Text + "' and usertype = '" + cboUsertype.Text + "' and mypassword = '" + txtPassword.Text + "'", conn);
 
            SqlDataAdapter da = new SqlDataAdapter(cmd);
            DataTable dt = new DataTable();
            da.Fill(dt);
 
            System.Data.SqlClient.SqlDataReader dr = null;
            dr = cmd.ExecuteReader();
         
            if (dr.Read())
            {
                SqlConnection con = new SqlConnection(ConfigurationSettings.AppSettings["ConnectionString"]);
                con.ConnectionString = "Data Source=pc101;Initial Catalog=SMS;User ID=sa;Password=mike";
                con.Open();
 
                if (this.cboUsertype.Text == dr["UserType"].ToString() & this.txtUsername.Text == dr["UserName"].ToString() & this.txtPassword.Text == dr["mypassword"].ToString() & this.cboUsertype.Text == "Data Entry Clerk")
                 {
                     MessageBox.Show("*** Login Successful ***");
                     frmMain f = new frmMain();
                     f.Show();
                    // f.CreateUserAccountToolStripMenuItem.Enabled = false;
                     this.Hide();
                 }
 
                  else if (this.cboUsertype.Text == dr["UserType"].ToString() & this.txtUsername.Text == dr["UserName"].ToString() & this.txtPassword.Text == dr["mypassword"].ToString())
                 {
                     MessageBox.Show("*** Login Successful ***");
                     frmMain g = new frmMain();
                     g.Show();
                     this.Hide();
                 }
 
                 else
                 {
                    MessageBox.Show("Invalid UserName or Password", "Login", MessageBoxButtons.OK, MessageBoxIcon.Information);
                     MessageBox.Show("Access Denied!!");
                   
                 }              
            }
        }
Posted 3-Mar-12 5:26am
Edited 3-Mar-12 5:27am
v2
Comments
Mark Nischalke at 3-Mar-12 10:27am
   
Format your code snippets when posting
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

Don't EVER accept unvalidated user input and concatenate a Sql command. EVER. Reader about SQL injection attacks.
 
Learn about the using clause, as in
 
using(SqlCommand cmd = new SqlCommand(...))
{
 
}
 
You're creating and opening two SqlConnection and never using the second one. Why?
 
Write a stored procedure that accepts the username and password and returns a value indicating if they are valid. Much simpler, much cleaner.
  Permalink  
Comments
SAKryukov at 3-Mar-12 18:59pm
   
Good points, a 5.
Again, I added a reference on SQL injection and other clarifications in my answer.
--SA
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 3

In addition to the answers by Griff and Mark: see this:
http://en.wikipedia.org/wiki/SQL_injection[^].
 
Now, about using Griff's advice on cryptographic hash algorithm. I need to add a warning against using MD5.
 
First of all, the password is never stored anywhere. Don't you see that storing of the password is wrong and totally insecure?
 
You never need a password in its original form authentication. On of the usual and simple techniques is using a cryptographic hash function of a password. You store only a password hash in your database, calculate a password hash based on the user input each time the user tries to authenticate, and compared newly calculated hash value with the hash value stored in your database. A good hash function is practically infeasible to invert, so no one can calculate the original password even having the full access to the database.
 
Please see:
http://en.wikipedia.org/wiki/Cryptographic_hash_function[^].
 
Don't use MD5 for any security: this algorithm is considered broken, please see:
http://en.wikipedia.org/wiki/MD5[^].
 
Instead, you can use one of the Secure Hash Algorithms (SHA):
http://en.wikipedia.org/wiki/SHA2[^].
 
The classes implementing those algorithm are available in .NET:
http://msdn.microsoft.com/en-us/library/system.security.cryptography.hashalgorithm.aspx[^].
 
If you want to perform calculation of the cryptographic hash function in .NET only, it means on server side only, it means that the original password should still be passed through the network, so a spy can pick it up. Therefore, save authentication should only use secure HTTPS protocol, not HTTP.
 
Please see:
http://en.wikipedia.org/wiki/HTTPS[^].
 
—SA
  Permalink  
v2
Comments
Mohamed Mitwalli at 26-Jul-12 4:23am
   
5+
Sergey Alexandrovich Kryukov at 27-Jul-12 17:01pm
   
Thank you, Mohammed.
--SA
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

Please don't do that.
1) Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
2) Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^]
 
Other than that, all you need is to show the form:
if (sucessfullLogin)
   {
   frmMain f = new frmMain();
   Hide();
   f.ShowDialog();
   Show();
   }
  Permalink  
Comments
mikeoabban at 3-Mar-12 10:36am
   
thanks a lot
i'll try it now
SAKryukov at 3-Mar-12 18:58pm
   
Good points, but...
I take a look at your article on password storage. I would warn against MD5 -- it's considered broken. So I voted 4 and added my answer: some clarifications on password storage, a warning against MD5 and a reference on SQL injection.
--SA

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 Kornfeld Eliyahu Peter 169
1 George Jonsson 145
2 Zoltán Zörgő 139
3 PIEBALDconsult 130
4 OriginalGriff 120
0 OriginalGriff 6,165
1 DamithSL 4,658
2 Maciej Los 4,107
3 Kornfeld Eliyahu Peter 3,649
4 Sergey Alexandrovich Kryukov 3,382


Advertise | Privacy | Mobile
Web04 | 2.8.141220.1 | Last Updated 19 May 2013
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100