1

Im having trouble getting my program to detect admin users. I have created a login system, but when an admin logs in, it skips past the sql query and moves on to open a user screen, not an admin. When a user registers, they are presented with a pair of radio buttons to choose their user type. Depending on which one is selected, the User type (admin or user) is written into the database in a column User. Here is my code:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.Data.SqlClient;
using System.Data.SqlTypes;

namespace myLoginProject
{
public partial class Form1 : Form
{
    public Form1()
    {
        InitializeComponent();
    }

    private void Form1_Load(object sender, EventArgs e)
    {
        SqlConnection connection = new SqlConnection(@"server=.\SQLEXPRESS; database=loginTest;Trusted_Connection=yes");
        connection.Open();
        string selection = "select * from Logins where Name = '" + userNameBox.Text + "' and Password = '" + passwordBox.Text + "' ";
        SqlCommand command = new SqlCommand(selection, connection);
        SqlDataAdapter da = new SqlDataAdapter(command);
        DataSet ds = new DataSet();
        da.Fill(ds);
        DataTable dt = ds.Tables[0];
    }

    private void registerButton_Click(object sender, EventArgs e)
    {
        adminAuthScreen aas = new adminAuthScreen();
        aas.Show();
    }
    private int myMethod(string user, string pass)
    {
        user.Trim();
        pass.Trim();
        SqlConnection connection = new SqlConnection(@"server=.\SQLEXPRESS; database=loginTest;Trusted_Connection=yes");
        connection.Open();
        string selection = "select * from Logins where Name = '"+user+"' and Password = '"+pass+"' ";
        SqlCommand command = new SqlCommand(selection, connection);
        if (command.ExecuteScalar() != null)
            return 1;
        else
            return 0;

    }

    private void loginButton_Click(object sender, EventArgs e)
    {
        if (myMethod(userNameBox.Text,passwordBox.Text)>0)
        {
            MessageBox.Show("Welcome back, "+userNameBox.Text);
            SqlConnection myConnection = new SqlConnection(@"server=.\SQLEXPRESS; database=loginTest;Trusted_Connection=yes");
            try
            {
                myConnection.Open();
            }
            catch (Exception ex)
            {
                MessageBox.Show(ex.ToString());
            }
           string checkAdmin1 = "SELECT * FROM Logins WHERE Name = '"+userNameBox.Text+"' AND User='Admin'";
        SqlCommand checkIfAdmin = new SqlCommand(checkAdmin1, myConnection);
        if (checkIfAdmin.ExecuteScalar() != null)
        {
           adminScreen admnscrn = new adminScreen();
            admnscrn.Show();
        }
        else
        {
            userScreen usrscrn = new userScreen();
            usrscrn.Show();
        }
        }
    }


    public SqlConnection connection { get; set; }
}
}

It seems like this bit is the problem (at least its the problem during debugging):

 private void loginButton_Click(object sender, EventArgs e)
        {
            if (myMethod(userNameBox.Text,passwordBox.Text)>0)
            {
                MessageBox.Show("Welcome back, "+userNameBox.Text);
                SqlConnection myConnection = new SqlConnection(@"server=.\SQLEXPRESS; database=loginTest;Trusted_Connection=yes");
                try
                {
                    myConnection.Open();
                }
                catch (Exception ex)
                {
                    MessageBox.Show(ex.ToString());
                }
               string checkAdmin1 = "SELECT * FROM Logins WHERE Name = '"+userNameBox.Text+"' AND User='Admin'";
            SqlCommand checkIfAdmin = new SqlCommand(checkAdmin1, myConnection);
            if (checkIfAdmin.ExecuteScalar() != null)
            {
               adminScreen admnscrn = new adminScreen();
                admnscrn.Show();
            }
            else
            {
                userScreen usrscrn = new userScreen();
                usrscrn.Show();
            }
            }
        }

Can anyone help me find out what the problem is??? Ive tried googling, reading up, i just cant seem to find the answer anywhere... P.S. Its a winforms app, written in C# and will be run on a single computer

tony b
  • 1,341
  • 2
  • 10
  • 12
  • 2
    [This](http://xkcd.com/327/) [seems relevant](http://en.wikipedia.org/wiki/SQL_injection). – canon Oct 04 '13 at 02:47
  • 2
    I think @canon means that you should use parametrized queries. The line: string checkAdmin1 = "SELECT * FROM Logins WHERE Name = '"+userNameBox.Text+"' AND User='Admin'"; opens you SQL injections, for example. – aspiring.algorist Oct 04 '13 at 03:00
  • OK, but how do i solve my problem. It won't detect the user type and just skips over to the else statement – tony b Oct 04 '13 at 03:04
  • Have you looked in the database to ensure that there is the value 'Admin' is in the column User? – aspiring.algorist Oct 04 '13 at 03:17
  • checked, double checked and triple checked. Im tearing my hair out.... – tony b Oct 04 '13 at 03:24
  • wait a second... why is the word User surrounded by [] when i go to design the database? – tony b Oct 04 '13 at 03:25
  • `select *` and `ExecuteScalar` don't often go together, particularly when the query shows that there is more than one column in the table. – HABO Oct 04 '13 at 03:25
  • IVE GOT IT! The column user, when in design mode, was surrounded by []! I changed it to UserType and it works, SUCCESS! I dont understand why it had [] around it though... – tony b Oct 04 '13 at 03:28
  • 1
    @tonyb, because user is a reserved keyword word. – Michael Oct 04 '13 at 05:13
  • @tonyb, also you shouldn't store passwords as plaintext in the database. [link](http://stackoverflow.com/questions/1602776/what-is-password-hashing) – Michael Oct 04 '13 at 05:16
  • You should post the your solution below and mark it as answered so that it helps anyone else with the same problem @tonyb – galdin Nov 05 '13 at 21:44

0 Answers0