1

I want to change this parameterized query

On Error Resume Next
        Dim timex As String
        Dim isigroup As DataTable
        objdata = New clsMSSQL
        isigroup = objdata.QueryDatabase("SELECT * FROM Userx WHERE Username='" & txtuser.Text & "' AND Userpass ='" & txtpassword.Text & "'")
        If isigroup.Rows.Count > 0 Then
            For i = 0 To isigroup.Rows.Count - 1
                If isigroup.Rows(i)("username") <> txtuser.Text Or isigroup.Rows(i)("userpass") <> txtpassword.Text Then
                    MsgBox("Access denied username and password !!!", MsgBoxStyle.Information, "Attention.....")
                    xcountx = xcountx + 1
                    If xcountx >= 3 Then
                        MsgBox("You have reach the maximum time of login !!", MsgBoxStyle.Exclamation, "Προσοχή.....")
                        End
                    End If
                    Exit Sub
                End If
            Next
            username = isigroup.Rows(0)("Username")
            xUser_ID = isigroup.Rows(0)("User_id")
            xUser_Access = isigroup.Rows(0)("Access_Type")
            timex = TimeOfDay
            isigroup = objdata.QueryDatabase("INSERT INTO Audit_Log (User_ID, Login) VALUES(" & xUser_ID & ", '" & timex & "')")
            isigroup = objdata.QueryDatabase("SELECT * FROM Audit_Log ORDER BY LOG_ID DESC")
            LOGID = isigroup.Rows(0)("LOG_ID")
            Audit_Trail(xUser_ID, TimeOfDay, "Login to system ")

I tried a lot but i can't make it please help

This is the class

Imports System.Data.SqlClient

Public Class clsMSSQL

    Public Shared con As New SqlConnection(constring)
    Private DbSwtable As DataTable

    Public Function QueryDatabase(ByVal Query As String) As DataTable

        Try
            Dim objDataSet As New DataSet
            Dim objDataTable As New DataTable
            Dim objDataAdapter As New SqlDataAdapter(Query, con)
            objDataAdapter.Fill(objDataSet, "DefaultTable")
            objDataTable = objDataSet.Tables("DefaultTable")
            con.Close()

            Return objDataTable
        Catch ex As Exception
            MessageBox.Show(ex.Message, "Λάθος", MessageBoxButtons.OK, MessageBoxIcon.Error)

            Return DbSwtable
        End Try
    End Function
Improve this question
9
  • What is this clsMSSQL? Commented Jun 29, 2013 at 14:56
  • It is class for connection Commented Jun 29, 2013 at 14:58
  • Get rid of the On Error Resume Next - use Try Catch blocks. You need to post the code for QueryDatabase, as that is where your query appears to be executed and where you will do the parameterization. Commented Jun 29, 2013 at 14:58
  • How can i use this function in cmdLogin Commented Jun 29, 2013 at 15:22
  • Something is wrong in objDataAdapter.SlectCommand = selectCmd Commented Jun 29, 2013 at 15:28

2 Answers 2

Reset to default
3

Edit the function QueryDataBase like this:

Add parameters username and password and use the SelectCommand Property of your DataAdapter. Also change the name of the Function from QueryDatabase to GetUserData.

Public Function GetUserData(username as string, password as string) As DataTable
        Try
            Dim objDataSet As New DataSet
            Dim objDataTable As New DataTable
            Dim sql As String = "SELECT * FROM Userx WHERE Username=@Username AND Userpass=@Userpass"
            Dim objDataAdapter As New SqlDataAdapter()
            Dim selectCmd as new SqlCommand(sql, con)
            selectCmd.Parameters.Add("@Username", SqlDbType.Varchar).Value = UserName 
            selectCmd.Parameters.Add("@UserPass", SqlDbType.Varchar).Value =Password 
            objDataAdapter.SelectCommand = selectCmd;
            objDataAdapter.Fill(objDataSet, "DefaultTable")
            objDataTable = objDataSet.Tables("DefaultTable")
            con.Close()

            Return objDataTable
        Catch ex As Exception
            MessageBox.Show(ex.Message, "Λάθος", MessageBoxButtons.OK, MessageBoxIcon.Error)

            Return DbSwtable
        End Try
    End Function

Then from the UI, call the function like this:

isigroup = objdata.GetUserData(txtuser.Text, txtpassword.Text)
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Never use password, use password hash instead.
@jmoreno I agree. But I can't include everything in one answer, that would result in being too broad.
I know, but your example can do the right thing, even if you don't go into the reason WHY it is the right thing.
Your assumption could be wrong. If the question owner has no password hashes on his database, we cant help him with little effort. Thats why i rather focus on answering the question appropriately, rather than ending up with an answer which covers all possible variants. ;)
If there's no hash, that is a bigger problem than not being able to use parameters.
|
1

Modified version of Fabian's answer: Edit the function QueryDataBase like this:

Add parameters for the username and the hash of the password and use the SelectCommand Property of your DataAdapter. Also change the name of the Function from QueryDatabase to GetUserData.

Public Function GetUserData(username as string, PassHash as string) As DataTable
    Try
        Dim objDataSet As New DataSet
        Dim objDataTable As New DataTable
        Dim sql As String = "SELECT * FROM Userx WHERE Username=@Username AND PassHash =@PassHash"
        Dim objDataAdapter As New SqlDataAdapter()
        Dim selectCmd as new SqlCommand(sql, con)
        selectCmd.Parameters.Add("@Username", SqlDbType.Varchar).Value = UserName 
        selectCmd.Parameters.Add("@PassHash", SqlDbType.Varchar).Value =PassHash 
        objDataAdapter.SelectCommand = selectCmd;
        objDataAdapter.Fill(objDataSet, "DefaultTable")
        objDataTable = objDataSet.Tables("DefaultTable")
        con.Close()

        Return objDataTable
    Catch ex As Exception
        MessageBox.Show(ex.Message, "Λάθος", MessageBoxButtons.OK, MessageBoxIcon.Error)

        Return DbSwtable
    End Try
End Function

Then from the UI, call the function like this:

isigroup = objdata.GetUserData(txtuser.Text, gethash(txtpassword.Text))
Improve this answer

2 Comments

Hello my friend I found BCrypt for hash I can store password to database but I don't know how to use it to cmdLogin. Can you help?
I know you've edited to include that you took your answer from Fabian's, but it's an extremely large amount of code you took from his. I'm not sure how comfortable the community would be with that.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.