2

I am in desperate need of some help.

I'm using SQL Server and vb.net. On my personal info Windows form I'm trying to populate textboxes with user information based on the currently logged in user.

However I don't know how to represent the value of the current user. I'm trying to pass the value as a parameter. What should be put in place of: #idontknow ?

Code for form:

Private Sub PersonalInfo_Load(sender As Object, e As EventArgs) Handles MyBase.Load
    Dim connection As New SqlConnection("server=DESKTOP-PL1ATUA\DMV;Database=EHR;Integrated Security=True")
    Dim dt As New DataTable

    connection.Open()

    Dim sqlcmd As New SqlCommand("SELECT * FROM PATIENT WHERE PATIENT_ID = @id", connection)
    Dim sqlda As New SqlDataAdapter(sqlcmd)
    Dim user_email As Object = Nothing

    sqlcmd.Parameters.AddWithValue("@id", #idontknow)

    Dim reader As SqlDataReader = sqlcmd.ExecuteReader()

    While reader.Read()
            fname.Text = reader("PATIENT_FNAME")

            ComboBox1.Text = reader("patient_gender")
            TextBox4.Text = reader("patient_street")
            TextBox5.Text = reader("patient_city")
            TextBox6.Text = reader("patient_state")
            TextBox7.Text = reader("patient_zip")
            TextBox8.Text = reader("patient_phone")
            email.Text = reader("user_email")
        End While
End Sub

Here I validate User credentials on a windows form by checking email and password, the primary key (patient_id) is generated upon insert when a new user registers (this code is on a separate form, which is not displayed below):

Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
    Dim connection As New SqlConnection("server=DESKTOP-PL1ATUA\DMV;Database=EHR;Integrated Security=True")
    Dim command As New SqlCommand("select * from patient where user_email = @email and user_pass = @pass", connection)
    command.Parameters.Add("@email", SqlDbType.VarChar).Value = email.Text
    command.Parameters.Add("@pass", SqlDbType.VarChar).Value = pass.Text

    Dim adapter As New SqlDataAdapter(command)

    Dim table As New DataTable()

    adapter.Fill(table)

    If table.Rows.Count() <= 0 Then
        MessageBox.Show(" Username or Password are Invalid")

    Else
        MessageBox.Show("Login Successful")
        command.CommandType = CommandType.StoredProcedure

        dashboard.Show()
    End If
End Sub
Improve this question
3
  • 1
    The CURRENT_USER SQL Server function returns the current user's name. In C# you can get the current user with WindowsIdentity.GetCurrent() Commented May 9, 2018 at 14:24
  • @PanagiotisKanavos That gives the login of SQL Server on one hand and the Windows login on another. Most likely he wants his own system's login. Commented May 9, 2018 at 15:48
  • 1
    Given your current code, it seems you're right now storing your password in plain text. This is a severe security vulnerability. Commented May 9, 2018 at 15:50

2 Answers 2

Reset to default
1

Your login code queries for a record from the patient table that has the appropriate username and password. Right now it looks like all you're doing is checking for the existence of such a record. What you want to do is take that record's patient_id and store it somewhere that you can refer back to from elsewhere in your code. This could be something as simple as a shared property somewhere. This question discusses a few options that might suit. For instance, a module:

Module CurrentUser
    Public Property PatientId As Integer
End Module

Or a class that can't be instantiated:

NotInheritable Class CurrentUser
    Private Sub New()
    End Sub

    Public Shared Property PatientId As Integer
End Class

Review the answers to the question linked above for a discussion of the differences between the two approaches. In either case, you'd assign the value of CurrentUser.PatientId in your login code and then access its value where you've written #idontknow.

One last thing: it looks like your login code is taking the contents of a password box somewhere and comparing it directly to the contents of the password field in your database, which strongly implies that you're storing passwords as plain text. This is not secure. Review this question for a thorough overview of how to store passwords securely.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you for the feedback! I decided to use the class and then call currentuser.patientid, but i dont know how to set the value of CurrentUser.patientID since its an integer, but the select query I assigned it to is a string.
@AundreaVickers, I may not have read closely enough, but I didn't see where in your question you revealed the data type of the patient_id field in the database, so I just guessed Integer. If the database field is a string, then declare your PatientId property a string as well.
0

Well, I'm not sure if you're looking for a logged user in Windows, then it's a string (not Integer) as follows:

Dim UserNameStr As String = Environment.UserName

Same applies to the SQL Server:

SELECT CURRENT_USER;

...it's a string too.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.