0

Check the bold oledb command, idont know what kind of error it is , or what im doing wrong please help :(

private void button1_Click(object sender, EventArgs e)
    {
        try
            {
                string constring = @"Provider = Microsoft.Jet.OLEDB.4.0; Data Source=C:\Users\ShahMuhammad\Desktop\testLogin.accdb; Persist Security Info=True;";
                OleDbConnection conDataBase = new OleDbConnection(constring);
                ***OleDbCommand cmdDatabase = new OleDbCommand("Select * from login where uname="this.textBox1.Text" and pword = "this.textBox2.Text", connDatabase);***/// HERE I HAVE PROBLEM
                OleDbDataReader myReader;

            conDataBase.Open();
            myReader = cmdDatabase.ExecuteReader();
            int count=0;
            while(myReader.Read())
            {count=count+1}
            if(count==1)
            {MessageBox.Show("Successfull Login");}
            else if (count >1)
            {MessageBox.Show("Duplicate Uname or Password");}
            else
            MessageBox.Show("Ghalat input ustaad, wari account password");

        }
        catch (Exception ex)
        {
            MessageBox.Show(ex.Message);
        }
    }

kindly tell me whats is the error , i am a total newbie in C# programming, specially connecting with db

sam
  • 29
  • 5

4 Answers4

4

You have a problem because uname and pword are text fields.
When you query text fields you need to put the values between single quotes.

However there is a better solution and it is called Parameterized query

OleDbCommand cmdDatabase = new OleDbCommand(@"Select * from login 
                              where uname=@name and pword = @pword",  
                             connDatabase);
cmdDatabase.Parameters.AddWithValue("@name", textBox1.Text);
cmdDatabase.Parameters.AddWithValue("@pword",textBox2.Text);
....

No more problems with quoting string, replacing single quotes inside strings and Sql Injection attacks, and your command text is now a lot more readable.

When you have fixed this problem I also suggest to read about the weakness of storing passwords in clear text inside a database. In your case a malicious user can simply copy the database and he/she can easily read all your users passwords.

EDIT
Revisiting this question after an hour and I see that there are multiple correct answers (Soner Gönül and Paul Zahra) to your question (albeit incomplete including mine).

In a summary:

  • Concatenating strings in C# is done using the + operator
  • There is a typographical error in your naming the connection
  • Passing string values to a database should be done enclosing strings in quotes
  • Use the using statement around disposable objects
  • Finally use a parameterized query when dealing with command texts
Community
  • 1
  • 1
Steve
  • 213,761
  • 22
  • 232
  • 286
  • @sam, This is the way you should query commands in a database context. Concatenating passwords in string risks sql injection. – Rohit Prakash Jan 30 '15 at 08:58
  • Actually, the OP simply missed the + operator... But you are right, using SqlPArameter is practically a best practice – Steve B Jan 30 '15 at 08:58
3
"Select * from login where uname="this.textBox1.Text" and pword = "this.textBox2.Text"

I think this should be;

"Select * from login where uname=" + this.textBox1.Text + "and pword =" + "this.textBox2.Text

If your columns are not character typed, othwerwise you need to use single quotes with them.

But as a better way, always use parameterized queries. This kind of string concatenations are open for SQL Injection attacks.

var cmdDatabase = new OleDbCommand("Select * from login where uname= ? and pword = ?", connDatabase);
cmdDatabase.Parameters.Add("p1", OleDbType...).Value = this.textBox1.Text;
cmdDatabase.Parameters.Add("p2", OleDbType...).Value = this.textBox2.Text;

And use using statement to dispose your OleDbCommand, OleDbConnection and OleDbDataReader. Like;

using(OleDbConnection conDataBase = new OleDbConnection(constring))
using(OleDbCommand cmdDatabase = conDataBase.CreateCommand())
{
    ...
    ...
    using(OleDbDataReader myReader = comm.ExecuteReader())
    {  
       //
    }
}

Finally, looks like you store your passwords as a plain text. Don't do that! Read: Best way to store password in database

Community
  • 1
  • 1
Soner Gönül
  • 97,193
  • 102
  • 206
  • 364
1

You have two issues with your code... as others have pointed out you need to concatenate the strings... the other is your db connection object, it is called conDataBase but you reference connDataBase and your sql string is a bit squiffy ... your code should look like...

OleDbConnection conDatabase = new OleDbConnection(constring);
string sql = "Select * from login where uname='" + this.textBox1.Text + "' and pword = '" + this.textBox2.Text + "'"
OleDbCommand cmdDatabase = new OleDbCommand(sql, conDatabase);

but as others have said using a parameterised query is safer.

Paul Zahra
  • 9,522
  • 8
  • 54
  • 76
0

you should write 'this.textbox1.text' (+this.textbox1.text+)

ur query should be like this 

"select * from TblLogin where UserName='"+this.txtUserName.text+"' and Password='"+this.txtPassword.text+"' ";
Soner Gönül
  • 97,193
  • 102
  • 206
  • 364
Sheeba
  • 25
  • 2
  • 18