Click here to Skip to main content
15,173,152 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
hi to all,
i am working on login form having two labels name customer id and password.
what i want is when i enter customer id and password in textboxes, and click on login button, customer id and password will be selected from any row of my table name customer_detail and when i apply condition, messagebox show "login is successful".
i applied following coding for selecting one row as shown below :
private void btnlog_Click(object sender, EventArgs e)
        {         
            cmd = new SqlCommand("select userid,password from customer_details where userid='" + txtcustid.Text + "'", con);
            
            SqlDataAdapter da = new SqlDataAdapter(cmd);
            DataSet ds = new DataSet();
            da.Fill(ds);
            string custid;
            string password;
            custid = ds.Tables[0].Rows[0][0].ToString();
            password = ds.Tables[0].Rows[0][1].ToString();
            if (custid == txtcustid.Text && password == txtpswd.Text)
            {
                MessageBox.Show("login successful");
                this.Hide();
                product_at_warehouse thirdform;
                thirdform = new product_at_warehouse();
                thirdform.Show();
            }
            else
            {
                MessageBox.Show("login failed: Enter valid username or password");
            }
            
           
               // cmd.ExecuteNonQuery();
            
            }

please help me out of this.
kudos
neaS
Posted
Updated 1-Aug-11 22:41pm
v2
Comments
Toniyo Jackson 2-Aug-11 3:44am
   
Now, what is the problem/error?
[no name] 2-Aug-11 3:44am
   
What is the Error/Problem you are facing in this?

There are some problems with the code.

If the SELECT statement does not find any rows. An Null exception will be thrown when you access the DataSet under
C#
custid = ds.Tables[0].Rows[0][0].ToString();


Replace DataSet with DataTable, and do a check on the DataTable.Rows.Count[^] to see if there are any rows returned in the SELECT statement.

Use SqlParameter and stop creating SQL strings like the one you do now.
See Give me parameterized SQL, or give me death[^].
   
Comments
[no name] 2-Aug-11 3:53am
   
Agree. 5!
Kim Togo 2-Aug-11 3:54am
   
Thanks
Try this

private void btnlog_Click(object sender, EventArgs e)
        {         
            cmd = new SqlCommand("select userid,password from customer_details where userid='" + txtcustid.Text + "' and password='"+txtpwd.Text+"'", con);
            
            SqlDataAdapter da = new SqlDataAdapter(cmd);
            DataSet ds = new DataSet();
            da.Fill(ds);
            string custid;
            string password;
            custid = ds.Tables[0].Rows[0][0].ToString();
            password = ds.Tables[0].Rows[0][1].ToString();
            if (custid == txtcustid.Text && password == txtpswd.Text)
            {
                MessageBox.Show("login successful");
                this.Hide();
                product_at_warehouse thirdform;
                thirdform = new product_at_warehouse();
                thirdform.Show();
            }
            else
            {
                MessageBox.Show("login failed: Enter valid username or password");
            }
            
           
               // cmd.ExecuteNonQuery();
            
            }
   
There are a whole load of things wrong here: The first being "do not concatenate your strings". Google for "Sql Injection Attack" and then change to parametrized queries before you accidentally or deliberately destroy your database.

Second: Dont store your passwords in text. There is a Tip here which describes a better way: Password Storage: How to do it.[^]

Third: Why are you returning the customer ID in your SELECT statement, when you only ask for the values which match it?
Isn't the test
C#
if (custid == txtcustid.Text && password == txtpswd.Text)
kinda rendundant?

Fourth: What problem are you having?
   
hey i tried stored procedure rather than selecting value directly fron sql table but i m still not able to apply the condition.this is my code now

con.Open();

cmd = new SqlCommand("selectcust", con);
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add("@userid", SqlDbType.VarChar).Value = txtcustid.Text;
cmd.Parameters.Add("@password", SqlDbType.VarChar).Value = txtpswd.Text;
SqlDataReader reader = cmd.ExecuteReader();
con.Close();

if (txtcustid.Text== "@userid"&& txtpswd.Text=="@password")
{
MessageBox.Show("login successful");
this.Hide();
product_at_warehouse thirdform;
thirdform = new product_at_warehouse();
thirdform.Show();
}
else
{
MessageBox.Show("login failed: Enter valid username or password");
}




}
here selectcust is my stored procedure name. when ever i enter correct username and password, it always show message invalid username or passwd. i checked by putting debugger,my value are never null.
what is wrong with coding.
lease do help me
   
Instead of using "SqlDataReader reader = cmd.ExecuteReader();"
fill data table

using (SqlDataReader myReader = myCommand.ExecuteReader())
{
DataTable myTable = new DataTable();
myTable.Load(myReader);
con.Close();

}
And now check. You must have values in data table "myTable" if credential are correct.


Thanks
Mahesh
http://helpondesk.blogspot.com/
   
v2

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900