VB2010 error "a first chance exception of type 'system.invalidoperationexception' occurred in system.data.dll "

Question

0.00/5 (No votes)

See more:

Hi, I got this error in my Immediate Window when I try to debug. I am trying to insert data into a table in Microsoft Access. Also it seems that I failed to connect to database. Here is the code that I have.

Private Sub Button3_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button3.Click
' Check if username or password is empty
If PasswordTextBox.Text = "" Or UsernameTextBox.Text = "" Then
MessageBox.Show("Please complete the required fields..", "Authentication Error", MessageBoxButtons.OK, MessageBoxIcon.Error)
Else
' Both fields was supply
' Check if user exist in database
' Connect to DB
Dim conn As New System.Data.OleDb.OleDbConnection()
conn.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\Users\user1\Documents\PutLock.accdb"

Try
'conn.Open()
'MsgBox("Success")

Dim sql As String = "SELECT * FROM PutLockSignUp WHERE Username='" & UsernameTextBox.Text & "' AND Password = '" & PasswordTextBox.Text & "'"
Dim sqlCom As New System.Data.OleDb.OleDbCommand(sql, conn)

'Open Database Connection
sqlCom.Connection = conn
conn.Open()

Dim sqlRead As System.Data.OleDb.OleDbDataReader = sqlCom.ExecuteReader()

If sqlRead.Read() Then
Form2.Show()
Me.Hide()

Else
' If user enter wrong username and password combination
' Throw an error message
MessageBox.Show("Username and Password do not match..", "Authentication Failure", MessageBoxButtons.OK, MessageBoxIcon.Exclamation)

'Clear all fields
PasswordTextBox.Text = ""
UsernameTextBox.Text = ""

'Focus on Username field
UsernameTextBox.Focus()
End If

Catch ex As Exception
MessageBox.Show("Failed to connect to Database..", "Database Connection Error", MessageBoxButtons.OK, MessageBoxIcon.Error)
End Try

End If
End Sub

What I have tried:

I have tried searching for solution in google but I couldnt understand some of the explanation as I am still new in VB.NET. Btw, this is my school assignment. Please help me.

Posted 29-Jul-16 6:18am

dyooshi

Updated 29-Jul-16 6:44am

Add a Solution

Comments

Richard Deeming 29-Jul-16 12:54pm

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

Richard Deeming 29-Jul-16 12:54pm

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

Richard Deeming 29-Jul-16 12:55pm

And you're currently throwing away all of the useful details from the exception that you've caught, and displaying a generic error message instead. Remove that handler, or log the exception somewhere, so that you can get to the root cause of the problem.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Accepted Answer · 2016-07-29T06:44:00

There are several things very wrong here.
The first is that you should never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
Concatenating strings as part of your login procedure is spectacularly dumb, as it lets anyone do what they want to your DB without even having a valid login. Or indeed bypassing your login completely...

The second is as bad: Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^] - it's in C# rather than VB, but it pretty simple to understand.

Fix them, and the problem you have noticed will probably go away at the same time...