Having problem with my login form with data log it keeps stuccking need help please thank you

Question

0.00/5 (No votes)

See more:

having problem with my login form with data log it keeps stucking need help please thank you

What I have tried:

VB

Private Sub loginbtn_Click(sender As System.Object, e As System.EventArgs) Handles loginbtn.Click
        sqlconn = New MySqlConnection
        sqlconn.ConnectionString = "server=localhost;user id=root;password=;database=issa"
        Dim reread As MySqlDataReader

        Try
            sqlconn.Open()
            Dim query As String

            query = "SELECT * from usersetup where Username='" & usernametxtbx.Text & "'and Password = '" & passtxbx.Text & "'"
            commando = New MySqlCommand(query, sqlconn)
            reread = commando.ExecuteReader
            Dim coount As Integer = 0

            While reread.Read
                coount = coount + 1
            End While

            strSQL = "Insert into datalogin (Username, Date, Time) values ('" & usernametxtbx.Text & "','" & date1.Text & "', '" & time1.Text & "')"
            Dim dd As New MySqlDataAdapter(strSQL, CONNECTION)
            dd.Fill(dss)
            usernametxtbx.Text = ""
            passtxbx.Text = ""

           
            If coount = 1 Then
                
                If (reread.Item("Restriction").ToString()) = "Admin" Then
                    MessageBox.Show(" Login Successfull as ADMIN. . . ")
                    officialpage.Show()
                    Me.Hide()
                Else
                    MessageBox.Show(" Login Successfull as GUEST. . . ")
                    guestpublic.Show()
                    Me.Hide()

                End If

            ElseIf coount = 1 Then
                MessageBox.Show("Record Duplicated...")
            Else
                MessageBox.Show("Log in failed... Either Username or Password is not correct...")
            End If
            sqlconn.Close()
        Catch ex As Exception
        End Try

    End Sub

Posted 4-Aug-17 21:28pm

Member 13347171

Updated 5-Aug-17 2:16am

RickZeeland

v3

Add a Solution

Comments

RickZeeland 5-Aug-17 6:47am

And how did you define the fields Date and Time in your datalogin table ?

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2017-08-04T21:41:00

Don't do it like that!
There are two serious problems with that code, and the two are interrelated:
1) Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

2) Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^] - the code is in C#, but it's pretty simple, and online converters can translate it for you if necessary.

Put the two problems together and your login is useless: I can bypass your security and log in as you with full admin privileges just by entering my username as

Member 13347171';--

and leaving the password box empty.

Fix it here, fix it in the rest of your code and then worry about the problem you have noticed.

And stop swallowing exceptions: empty catch blocks just throw away all the information you need to fix a problem!

Patrice T · Answer 2 · 2017-08-05T02:16:00

Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]

Quote:

VB

query = "SELECT * from usersetup where Username='" & usernametxtbx.Text & "'and Password = '" & passtxbx.Text & "'"

Example:

VB

passtxbx.Text= "abc' or '1'='1"

your query is

VB

... "'and Password = 'abc' or '1'='1'"

and will always be accepted as valid password, whatever is the real password.

Having problem with my login form with data log it keeps stuccking need help please thank you

2 solutions

Solution 1

Solution 2

Add your solution here

Preview 0