2

Okay I have created a log in system on VB.net using a database on access. The problem I am having is that some of the username and password combinations work perfectly, but some of them, although put in correctly, don't work at all. This is the code I have written...

Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click

    ' Check if username or password is empty
    If textpassword.Text = "" Or textusername.Text = "" Then
        MessageBox.Show("Please complete the required fields..", "Authentication Error", MessageBoxButtons.OK, MessageBoxIcon.Error)
    Else
        ' Both fields were supplied
        ' Check if user exist in database
        ' Connect to DB
        Dim conn As New System.Data.OleDb.OleDbConnection()
        conn.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=|DataDirectory|\database1.accdb"

        'conn.Open()
        'MsgBox("Susscess")

        Dim sql As String = "SELECT * FROM Accounts WHERE username='" & textusername.Text & "' AND password = '" & textpassword.Text & "'"
        Dim sqlCom As New System.Data.OleDb.OleDbCommand(sql)

        'Open Database Connection
        sqlCom.Connection = conn
        conn.Open()

        Dim sqlRead As System.Data.OleDb.OleDbDataReader = sqlCom.ExecuteReader()

        If sqlRead.Read() Then
            MemberPage.Show()
            Me.Hide()

        Else
            ' If user enter wrong username and password combination
            ' Throw an error message
            MessageBox.Show("Username and Password do not match..", "Authentication Failure", MessageBoxButtons.OK, MessageBoxIcon.Exclamation)

            'Clear all fields
            textpassword.Text = ""
            textusername.Text = ""

            'Focus on Username field
            textusername.Focus()
        End If 
    End If 
End Sub
Improve this question
2
  • 2
    Best to avoid concatenated strings for sql statements or you can risk sql injection issues. Also worth including Using structure to better manage object disposal. Should your '.Read' method rather be checking .'HasRows' or something similar? Commented Jul 15, 2015 at 9:49
  • Can you clarify what happens when they "don't work at all"? Commented Jul 15, 2015 at 9:50

2 Answers 2

Reset to default
3

Do not Concatenate string.Its wide open for SQL injection .Its better to use Parameterized query 

Dim sql As String = "SELECT * FROM Accounts WHERE username=? AND password = ?"
Dim sqlCom As New System.Data.OleDb.OleDbCommand(sql)
sqlCom.Parameters.AddWithValue("?", textusername.Text);
sqlCom.Parameters.AddWithValue("?", textpassword.Text);

Also you can use HasRows property

If sqlRead.HasRows Then
      While sqlRead.Read() 
       MemberPage.Show()
       Me.Hide()
      End While
 Else
     MessageBox.Show("Username and Password do not match..", "Authentication Failure", MessageBoxButtons.OK, MessageBoxIcon.Exclamation) 'Clear all fields
        textpassword.Text = ""
        textusername.Text = "" 
      'Focus on Username field
        textusername.Focus()
 End If
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

It seems that some mistake is happening at the condition you checking after filling the dataReader. i.e

If sqlRead.Read() Then

try the if condition by following code 

If Not sqlRead Is Nothing  Then

if it doesnt work then..

I would suggest you to do it using DataAdapter and check whether it returns rows. if the row count is greater than 1 , you must show the MemberPage

Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click


    If textpassword.Text = "" Or textusername.Text = "" Then
        MessageBox.Show("Please complete the required fields..", "Authentication Error", MessageBoxButtons.OK, MessageBoxIcon.Error)
    Else

        Dim conn As New System.Data.OleDb.OleDbConnection()
        conn.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=|DataDirectory|\database1.accdb"


        Dim sql As String = "SELECT * FROM Accounts WHERE username='" & textusername.Text & "' AND password = '" & textpassword.Text & "'"
        Dim sqlCom As New System.Data.OleDb.OleDbCommand(sql)

        Dim ds As DataSet

        sqlCom.Connection = conn
        conn.Open()

        'Dim sqlRead As System.Data.OleDb.OleDbDataReader = sqlCom.ExecuteReader()

        Dim da as New OleDbDataAdapter(sqlCom)

        da.Fill(ds)

        If ds.Tables(0).Rows.Count > 1  Then
            MemberPage.Show()
            Me.Hide()

        Else

            MessageBox.Show("Username and Password do not match..", "Authentication Failure", MessageBoxButtons.OK, MessageBoxIcon.Exclamation)


            textpassword.Text = ""
            textusername.Text = ""


            textusername.Focus()
        End If 
    End If 
End Sub
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.