0

I have a login program that have a user name texbox and password textbox. The program should get the user's name and password from the user and matching it with the name and password that is available in the access database file. The file is in bin/debug folder. The problem is the while loop is not working and I am getting only "Incorrect username and password message" from the loop. Can anyone help me please? Here is my code:

private void loginButton_Click(object sender, EventArgs e)
{
     try
     {     
         connection.Open();
         OleDbCommand command = new OleDbCommand();
         command.Connection = connection;
         command.CommandText = "select * from login where UserName= '" + userTextBox.Text + "'and Password= '" + passwordTextBOx.Text + "'";
         OleDbDataReader reader = command.ExecuteReader();
         int count = 0;
         while (reader.Read())
         {
             count = count + 1;
         }
         if (count == 1)
         {
             this.Hide();
             Form newForm = new Form();// create new form
             newForm.Show();//display newform
         }
         if (count > 1)
         {
             MessageBox.Show("Duplicate UserName and Password");
         }
         else
         {
             MessageBox.Show("Incorrect UserName and Password");
         }
         connection.Close();
     }
     catch (Exception ex)
     {
         MessageBox.Show(ex.Message);
     }
}
Improve this question
12
  • 2
    Try to add else before if (count > 1). Now the message "Incorrect user name" will be displayed even when the name is found. And I would recommend to use ShowDialog instead of only Show to wait for the dialog to close before application continuing. Commented May 18, 2018 at 6:01
  • 9
    Your code has a serious sql injection vulnerability, always use parameterized queries to avoid it. Commented May 18, 2018 at 6:02
  • 2
    Is the password saved in a plain text? (Without hashing or using salt) Commented May 18, 2018 at 6:05
  • 2
    Also you're not disposing correctly of resources. Wrap the reader and command in using statements. And close the connection in finally, not only when everything succeeds. Commented May 18, 2018 at 6:06
  • 1
    @S.R You should read a few articles about sql injection and parameterized queries. You can start here msdn.microsoft.com/en-us/library/ff648339.aspx or here stackoverflow.com/questions/14376473/… Commented May 18, 2018 at 6:07

1 Answer 1

Reset to default
4

If all you want is the number of rows returned, you should use SELECT COUNT(*) and ExecuteScalar:

command.CommandText = "select Count(*) from login where UserName= @Username and Password= @Password";
command.Parameters.AddWithValue("@Username", userTextBox.Text);
command.Parameters.AddWithValue("@Password", passwordTextBOx.Text);

OleDbDataReader reader = command.ExecuteScalar();

while (reader.Read())
{       
    count = reader.GetInt32(0);
}

Please note, that OleDb does not support named parameters. So while I named them @Username / @Password, these are in fact just placeholders. OleDb only uses positional parameters, so the order in which you add them to your query is important. Adding the password first, will give you a wrong result.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you all for your help!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.