Click here to Skip to main content
13,254,366 members (57,984 online)
Rate this:
 
Please Sign up or sign in to vote.
See more:
having problem with my login form with data log it keeps stucking need help please thank you

What I have tried:

Private Sub loginbtn_Click(sender As System.Object, e As System.EventArgs) Handles loginbtn.Click
        sqlconn = New MySqlConnection
        sqlconn.ConnectionString = "server=localhost;user id=root;password=;database=issa"
        Dim reread As MySqlDataReader
 
        Try
            sqlconn.Open()
            Dim query As String
 
            query = "SELECT * from usersetup where Username='" & usernametxtbx.Text & "'and Password = '" & passtxbx.Text & "'"
            commando = New MySqlCommand(query, sqlconn)
            reread = commando.ExecuteReader
            Dim coount As Integer = 0
 
            While reread.Read
                coount = coount + 1
            End While
 
            strSQL = "Insert into datalogin (Username, Date, Time) values ('" & usernametxtbx.Text & "','" & date1.Text & "', '" & time1.Text & "')"
            Dim dd As New MySqlDataAdapter(strSQL, CONNECTION)
            dd.Fill(dss)
            usernametxtbx.Text = ""
            passtxbx.Text = ""
 
           
            If coount = 1 Then
                
                If (reread.Item("Restriction").ToString()) = "Admin" Then
                    MessageBox.Show(" Login Successfull as ADMIN. . . ")
                    officialpage.Show()
                    Me.Hide()
                Else
                    MessageBox.Show(" Login Successfull as GUEST. . . ")
                    guestpublic.Show()
                    Me.Hide()
 
                End If
 
            ElseIf coount = 1 Then
                MessageBox.Show("Record Duplicated...")
            Else
                MessageBox.Show("Log in failed... Either Username or Password is not correct...")
            End If
            sqlconn.Close()
        Catch ex As Exception
        End Try
 
    End Sub
Posted 4-Aug-17 22:28pm
Updated 5-Aug-17 3:16am
v3
Comments
RickZeeland 5-Aug-17 6:47am
   
And how did you define the fields Date and Time in your datalogin table ?
Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 1

Don't do it like that!
There are two serious problems with that code, and the two are interrelated:
1) Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

2) Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^] - the code is in C#, but it's pretty simple, and online converters can translate it for you if necessary.

Put the two problems together and your login is useless: I can bypass your security and log in as you with full admin privileges just by entering my username as
Member 13347171';--
and leaving the password box empty.

Fix it here, fix it in the rest of your code and then worry about the problem you have noticed.

And stop swallowing exceptions: empty catch blocks just throw away all the information you need to fix a problem!
  Permalink  
Rate this: bad
 
good
Please Sign up or sign in to vote.

Solution 2

Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
Quote:
query = "SELECT * from usersetup where Username='" & usernametxtbx.Text & "'and Password = '" & passtxbx.Text & "'"

Example:
passtxbx.Text= "abc' or '1'='1"

your query is
... "'and Password = 'abc' or '1'='1'"

and will always be accepted as valid password, whatever is the real password.
  Permalink  

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month


Advertise | Privacy |
Web01 | 2.8.171114.1 | Last Updated 5 Aug 2017
Copyright © CodeProject, 1999-2017
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100