0

I wanted to create a function on which a user can guess the value from a MySQL database. label2 is randomly generated by other codes, so the user will have to guess the partner value of the label2 by inputting texbox1. I try to use the usual login function for the code

 s = "SELECT val2 FROM data_reader.db WHERE val1='" + this.label2.Text + "'and image='" + this.textBox1.Text + "';";
                int count = 0;

            while (mdr.Read())
            {
                count = count + 1;
            }
            if (count == 1)
            {
                MessageBox.Show("correct");
            }
            else
            {
                MessageBox.Show("wrong");
            }

problem with this code is it always return wrong even when the value are correct. is there any missing algorithm or maybe my code is not suitable for this purpose?

Improve this question
3
  • Maybe use if (count >= 1) instead of ==? Why are you counting if you expect there to be only one answer? Or can there be multiple rows with the same val1 and image values? Commented May 7, 2015 at 12:30
  • 1
    Wjhat's the relationship between s and mdr.Read()? Commented May 7, 2015 at 12:33
  • Please don't concatenate strings to form an SQL query. You are extremely open to SQL Injection attacks with this approach. en.wikipedia.org/wiki/SQL_injection Commented May 7, 2015 at 12:34

2 Answers 2

Reset to default
2

You forgot insert a space character between the label2.Text value and the AND junction.

s = "SELECT val2 FROM data_reader.db WHERE val1='" + this.label2.Text 
    + "' AND image='" + this.textBox1.Text + "';";
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

hi, i think there something wrong with my mysql query, I have a database which is data_reader.db, I wanted to find the value of image(char not filepath). val1 have been randomly generated so i have to guess the image value...any idea? –
0

Ok i'll help you with something else here

First: Lesson i learned here, never use " + ", you should use AddWithValue on the query parameters, something like this:

cmd.CommandText = "SELECT val2 FROM data_reader.db WHERE val1 = @value1 and image=@image";
cmd.Parameters.Clear();
cmd.Parameters.AddWithValue("@value1", this.label2.Text);
cmd.Parameters.AddWithValue("@image", this.textBox1.Text);

It is easier to understand and more secure.

Second: You just need to use

if (mdr.Read())
{
    MessageBox.Show("Correct!");
}
else
{
    MessageBox.Show("Wrong!");
}
Improve this answer

1 Comment

hi, i think there something wrong with my mysql query, I have a database which is data_reader.db, I wanted to find the value of image(char not filepath). val1 have been randomly generated so i have to guess the image value...any idea?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.