Click here to Skip to main content
15,885,216 members
Search within:


verify user name and password in c# form
Please Sign up or sign in to vote.
1.50/5 (3 votes)
See more:
C#
hi am want my login form to verify if the user name and password is in the database then it should display frmMain if not then it should display "Invalid UserName or Password"

it works if the Usre name and password is right but displays noting if Usre name and password is wrong
pls help me out


C#
private void btnLogin_Click(object sender, EventArgs e)
        {
            if (string.IsNullOrEmpty(this.txtUsername.Text) | string.IsNullOrEmpty(this.txtPassword.Text))
            {
                MessageBox.Show("provide User Name and Password");
            }

            if (string.IsNullOrEmpty(cboUsertype.Text))
            {
                MessageBox.Show("Select User Type");
            }
            

            SqlConnection conn = new SqlConnection();
            conn.ConnectionString = "Data Source=pc101;Initial Catalog=SMS;User ID=sa;Password=mike";
            conn.Open();

            string UserName = txtUsername.Text;
            string Password = txtPassword.Text;
            string UserType = cboUsertype.Text;

            SqlCommand cmd = new SqlCommand("SELECT * FROM tbluser WHERE username = '" + txtUsername.Text + "' and usertype = '" + cboUsertype.Text + "' and mypassword = '" + txtPassword.Text + "'", conn);

            SqlDataAdapter da = new SqlDataAdapter(cmd);
            DataTable dt = new DataTable();
            da.Fill(dt);

            System.Data.SqlClient.SqlDataReader dr = null;
            dr = cmd.ExecuteReader();
         
            if (dr.Read())
            {
                SqlConnection con = new SqlConnection(ConfigurationSettings.AppSettings["ConnectionString"]);
                con.ConnectionString = "Data Source=pc101;Initial Catalog=SMS;User ID=sa;Password=mike";
                con.Open();

                if (this.cboUsertype.Text == dr["UserType"].ToString() & this.txtUsername.Text == dr["UserName"].ToString() & this.txtPassword.Text == dr["mypassword"].ToString() & this.cboUsertype.Text == "Data Entry Clerk")
                 {
                     MessageBox.Show("*** Login Successful ***");
                     frmMain f = new frmMain();
                     f.Show();
                    // f.CreateUserAccountToolStripMenuItem.Enabled = false;
                     this.Hide();
                 }

                  else if (this.cboUsertype.Text == dr["UserType"].ToString() & this.txtUsername.Text == dr["UserName"].ToString() & this.txtPassword.Text == dr["mypassword"].ToString())
                 {
                     MessageBox.Show("*** Login Successful ***");
                     frmMain g = new frmMain();
                     g.Show();
                     this.Hide();
                 }

                 else
                 {
                    MessageBox.Show("Invalid UserName or Password", "Login", MessageBoxButtons.OK, MessageBoxIcon.Information);
                     MessageBox.Show("Access Denied!!");
                   
                 }              
            }
        }
Posted
Updated 3-Jul-21 7:12am
v2
Add a Solution
Comments
[no name] 3-Mar-12 10:27am    
Format your code snippets when posting
Member 12389023 13-Mar-16 14:06pm    
Could please add frontend design screen shots

3 solutions

Don't EVER accept unvalidated user input and concatenate a Sql command. EVER. Reader about SQL injection attacks.

Learn about the using clause, as in

using(SqlCommand cmd = new SqlCommand(...))
{

}


You're creating and opening two SqlConnection and never using the second one. Why?

Write a stored procedure that accepts the username and password and returns a value indicating if they are valid. Much simpler, much cleaner.
 
Share this answer
 
Posted
Comments
Sergey Alexandrovich Kryukov 3-Mar-12 18:59pm    
Good points, a 5.
Again, I added a reference on SQL injection and other clarifications in my answer.
--SA
In addition to the answers by Griff and Mark: see this:
http://en.wikipedia.org/wiki/SQL_injection[^].

Now, about using Griff's advice on cryptographic hash algorithm. I need to add a warning against using MD5.

First of all, the password is never stored anywhere. Don't you see that storing of the password is wrong and totally insecure?

You never need a password in its original form authentication. On of the usual and simple techniques is using a cryptographic hash function of a password. You store only a password hash in your database, calculate a password hash based on the user input each time the user tries to authenticate, and compared newly calculated hash value with the hash value stored in your database. A good hash function is practically infeasible to invert, so no one can calculate the original password even having the full access to the database.

Please see:
http://en.wikipedia.org/wiki/Cryptographic_hash_function[^].

Don't use MD5 for any security: this algorithm is considered broken, please see:
http://en.wikipedia.org/wiki/MD5[^].

Instead, you can use one of the Secure Hash Algorithms (SHA):
http://en.wikipedia.org/wiki/SHA2[^].

The classes implementing those algorithm are available in .NET:
http://msdn.microsoft.com/en-us/library/system.security.cryptography.hashalgorithm.aspx[^].

If you want to perform calculation of the cryptographic hash function in .NET only, it means on server side only, it means that the original password should still be passed through the network, so a spy can pick it up. Therefore, save authentication should only use secure HTTPS protocol, not HTTP.

Please see:
http://en.wikipedia.org/wiki/HTTPS[^].

—SA
 
Share this answer
 
Posted
Updated 3-Mar-12 12:55pm
v2
Comments
Mohamed Mitwalli 26-Jul-12 4:23am    
5+
Sergey Alexandrovich Kryukov 27-Jul-12 17:01pm    
Thank you, Mohammed.
--SA
Please don't do that.
1) Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
2) Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^]

Other than that, all you need is to show the form:
C#
if (sucessfullLogin)
   {
   frmMain f = new frmMain();
   Hide();
   f.ShowDialog();
   Show();
   }
 
Share this answer
 
Posted
Comments
mikeoabban 3-Mar-12 10:36am    
thanks a lot
i'll try it now
Sergey Alexandrovich Kryukov 3-Mar-12 18:58pm    
Good points, but...
I take a look at your article on password storage. I would warn against MD5 -- it's considered broken. So I voted 4 and added my answer: some clarifications on password storage, a warning against MD5 and a reference on SQL injection.
--SA
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Verify hashed password stored in database.
Visual studio 2017 windows forms C# - password from windows user password
How to verify a User with the supplied user name
Reseting password for user get opt on email
encryption password and user name in c sharp.
Get password verify to work
Error verify data in database
Get password verify to work
Visual studio 2017 windows forms C# - how to create a account with a username and password?
Verifying PBKDF2 salted and hashed password in login

Advertise
Privacy
Cookies
Terms of Use
Last Updated 27 Jun 2022
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web02 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900