couldn't get the exact value from the database

Question

0.00/5 (No votes)

See more:

After login,i want to change the label.Text to tom jerry,
but the output shows m_fnm_sn the two column names instead of the exact value that i wanted to show.

Thanks for the help, here are the table and code.

m_ac m_pw m_fn m_ln
test test tom jerry

C#

private void Login_Button_Click(object sender, EventArgs e) { MySqlConnection conn = new MySqlConnection(connectionString); conn.Open(); MySqlCommand cmd = new MySqlCommand("select 'm_ac','m_pw','m_fn','m_ln' from member where m_ac='" + username_textBox.Text + "' and m_pw='" + password_textBox.Text + "'", conn); MySqlDataReader dr; dr = cmd.ExecuteReader(); while(dr.Read()) { string fn = dr.GetString("m_fn"); string ln = dr.GetString("m_ln"); label1.Text = ac+ln; } }

Posted 26-Mar-15 9:42am

Member 11558504

Updated 26-Mar-15 21:42pm

Add a Solution

Comments

Richard Deeming 26-Mar-15 16:26pm

As mentioned in Solution #1, your code is vulnerable to SQL Injection[^].

NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

You also appear to be storing passwords in plain text. That's an extremely bad idea. You should only ever store a salted hash of the user's password:
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sascha Lefèvre · Answer 1 · 2015-03-26T09:59:00

In MySQL object names (table names, column names...) are quoted with backticks: `

You're using single quotes, so you're actually selecting string constants instead of columns.

So do this instead:

SQL

select `m_ac`,`m_pw`,`m_fn`,`m_ln`  ...

Additional suggestions:
- Use SQL-Parameters instead of concatenating your query-string
- Use intuitive column names - the times where column names could only be 8 characters or so are over ;)
- Use using-Blocks for the Connection-, Command and DataReader-Objects
- Use either the Interface-versions or the abstract baseclasses instead of the database-specific classes (e.g. IDbConnection or DbConnection instead of MySqlConnection) - which will allow you to easily switch to another database system if required or re-use your code in another project where you'll use another database-system:

C#

using (DbConnection conn = new MySqlConnection(connectionString))
{
    conn.Open();

    using (DbCommand cmd = conn.CreateCommand())
    {
        cmd.Connection = conn;
        cmd.CommandText = "select ....";

        using (DbDataReader dr = cmd.ExecuteReader())
        {
            // ...
        }
    }
}

In the above example you would only have to make one change to use it for SQL-Server or some other database system. If you would use a DbProviderFactory[^] to create your Db*****-Objects, you wouldn't have to change anything.
Obtaining a DbProviderFactory[^]

Edit after comment:

cmd.CommandText = "select `m_ac`,`m_pw`,`m_fn`,`m_ln` from member where m_ac=`" + username_textBox.Text + "` and m_pw=`" + password_textBox.Text + "`";

An unhandled exception occurred in MySql.Data.dll
Additional information: Unknown column 'test' in 'where clause'

When quoting "things" in a query string you have to differentiate between object names (table names, column names) and string literals (your TextBox-inputs). Object names are quoted with backticks in MySQL, string literals are quoted with single quotes. Object names only have to be quoted if they otherwise would collide with a MySQL-reserved-keyword (e.g. a table or column named "select" or "from"). String literals have to be quoted always.

You quoted your TextBox-inputs with backticks, so MySQL interpreted it as column-names and couldn't find the column named "test".

Your query string-construction can either look like this:

C#

cmd.CommandText = "select `m_ac`, `m_pw`, `m_fn`, `m_ln` from `member` where `m_ac`='" + username_textBox.Text + "' and `m_pw`='" + password_textBox.Text + "'";

or like this:

C#

cmd.CommandText = "select m_ac, m_pw, m_fn, m_ln from member where m_ac='" + username_textBox.Text + "' and m_pw='" + password_textBox.Text + "'";

If you would use SQL-Parameters, it could look like this and you wouldn't have to bother with quoting string literals (on top of other benefits like avoiding the risk of SQL-injection and better readibility):

C#

cmd.CommandText = "select m_ac, m_pw, m_fn, m_ln from member where m_ac=?user and m_pw=?pw";