having trouble with my login page

Question

0.00/5 (No votes)

See more:

i'm trying to match the users name, surname and password input and match against the database where they registered but getting the following when i press the login button:

"Syntax error (missing operator) in query expression '[name]','jordan''."

i just need a little help as I'm new to this and need a push towards the right direction any books or articles will also help. Thanks in advance

The Code:

C#

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.OleDb;

public partial class login : System.Web.UI.Page
{
    \\ create connection object
    private static OleDbConnection GetConnection()
    {
        String connString;
        connString = @"Provider=Microsoft.JET.OLEDB.4.0;Data Source=C:\Users\Wisal\Documents\Visual Studio 2012\WebSites\WebSite3\registration-Db.mdb";

        return new OleDbConnection(connString);

    }
    protected void Page_Load(object sender, EventArgs e)
    {

    }
    protected void loginButtn_Click(object sender, EventArgs e)
    {
        OleDbConnection myConnection = GetConnection();


        try
        {
            myConnection.Open();
            Console.WriteLine("Connection Opened");
            String checkUser = "select count(*) from client where [name]" + "','" + nameloginBox.Text + "'";

            OleDbCommand myCommand = new OleDbCommand(checkUser, myConnection);
            myCommand.ExecuteNonQuery();     \\ error occurs here when login button is pressed Syntax error (missing operator) in query expression '[name]','jordan''."
            myConnection.Close();
            {

                myConnection.Open();
                String checkname = "select count(*) from client where surname" + snameloginBox.Text + "'";

                OleDbCommand checkSname = new OleDbCommand(checkUser, myConnection);
                checkSname.ExecuteNonQuery();
                myConnection.Close();
                {
                    myConnection.Open();
                    String checkPassword = "select count(*) from client where [password]" + passwrdloginBox + "'";

                    OleDbCommand passComm = new OleDbCommand(checkPassword, myConnection);
                    String password = passComm.ExecuteNonQuery().ToString().Replace(" ","");
                    if (password == passwrdloginBox.Text)
                    {
                        Session[""] = nameloginBox.Text;
                        Response.Write("Password Correct");
                    }
                    else
                    {
                        Response.Write("Password Incorrect");
                    } 
                    

                }
            }
        }


        finally
        {
            myConnection.Close();
        }
    }
}

Posted 26-Nov-15 6:43am

Member 12169192

Add a Solution

Comments

Richard Deeming 26-Nov-15 13:20pm

Your code is vulnerable to SQL Injection[^].

NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
SQL injection attack mechanics | Pluralsight [^]

Richard Deeming 26-Nov-15 13:21pm

Also, you're storing passwords in plain-text. That's an extremely bad idea. You should only ever store a salted hash of the user's password.

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]
Our password hashing has no clothes - Troy Hunt[^]

Member 12169192 26-Nov-15 13:29pm

that's brilliantI'll have a read! thank you

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Manas_Kumar · Answer 1 · 2015-11-26T07:16:00

Firstly sql query syntax was incorrect - that is why you were getting error.
As you don't need column value from query, it is better to use ExecuteScalar()

Secondly it is recommended to use make query safe otherwise it violates SQL injection.

C#

OleDbCommand myCommand = new OleDbCommand(checkUser, myConnection);
myConnection.Open();
String checkPassword = "select count(*) from client where [password] = ?";

OleDbCommand passComm = new OleDbCommand(checkPassword, myConnection);
OleDbParameter p1 = new OleDbParameter();
p1.Value = passwrdloginBox.Text;
passComm.Parameters.Add(p1);

int rowsAffected = (int)passComm.ExecuteScalar();

if (rowsAffected > 0)
{
	Session[""] = nameloginBox.Text;
	Response.Write("Password Correct");
}
else
{
	Response.Write("Password Incorrect");
}

phil.o · Answer 2 · 2015-11-26T07:42:00

Solution 2

There is a typo; comma should be an equal sign. The error message tells you exactly what is the problem (missing operator) and where it occurs.

Posted 26-Nov-15 7:42am

phil.o