1

I have connected a sql database to my windows form application in C# visual studio 2012, the database contains one table with three columns for Username, Password and Role.

Picture of my Table

Inside the table is data for username and password, there is also two user types in the role column which determine the form you will be directed to when logging in depending on whether your role is an admin or client.

picture of the data in my form

I now have the code for the login form so that it can detect whether a user is an admin or client when logging in but the problem is that i have no username and password validation which displays a messagebox detailing when a user has entered incorrect information.

Could someone please adapt my code so that it displays a messagebox showing that the user has entered an incorrect username or password if they have unsuccessfully tried to log in.

Here is my code below

private void button3_Click(object sender, EventArgs e)
{

    SqlConnection con = new SqlConnection(@"Data Source=(LocalDB)\v11.0;AttachDbFilename=|DataDirectory|Data.mdf;Integrated Security=True");
    SqlDataAdapter sda = new SqlDataAdapter("Select Role from Login Where UserName='" + textBox1.Text + "' and Password='" + textBox2.Text + "'   ",con);
    DataTable dt = new System.Data.DataTable();
    sda.Fill(dt);
    if(dt.Rows.Count == 1)
    {
        if (dt.Rows.Count == 1)
        {
            switch (dt.Rows[0]["Role"] as string)
            {
                case "Admin":
                    {
                        this.Hide();
                        AdminMenu ss = new AdminMenu();
                        ss.Show();
                        break;
                    }

                case "Client":
                    {
                        this.Hide();
                        MenuForm mf = new MenuForm();
                        mf.Show();
                        break;
                    }

                default:
                    {
                        // ... handle unexpected roles here...
                        break;
                    }
            }
        }


    }

}

private void Login_Load(object sender, EventArgs e)
{

}

private void Login_FormClosing(object sender, FormClosingEventArgs e)
{
    Application.ExitThread();
}
}
}
Mohit S
  • 13,723
  • 6
  • 34
  • 69
reddevil54
  • 53
  • 2
  • 9
  • 1
    Try that code with the password `' or role='Admin`. – Dour High Arch Nov 17 '15 at 04:03
  • `if(dt.Rows.Count == 1)` checks if a record was returned. If login / password are incorrect, no rows will be returned. So the code you want goes into the else part if the expression. After this, you need to think about what happens for the other possible state: if more then one row is returned. – Nick.Mc Nov 17 '15 at 04:18
  • 1
    You also need to protect your code against **SQL injection**. Currently your code is a security risk. It can easily be hacked to reset all the passwords. – Nick.Mc Nov 17 '15 at 04:20
  • 1
    i.e. if I put this into textbox1: `';UPDATE LOGIN SET PASSWORD=''; --` – Nick.Mc Nov 17 '15 at 04:23

1 Answers1

1

You just need to put a else condition in this case like this 

else
{
    MessageBox.Show("Login Details are incorrect.");
}

and also I am unable to understand why do you have to if condition like this 

if(dt.Rows.Count == 1)
    {
        if (dt.Rows.Count == 1)
        {

Whereas only first one could serve your purpose.

So the code would look something like this 

private void button3_Click(object sender, EventArgs e)
{
    SqlConnection con = new SqlConnection(@"Data Source=(LocalDB)\v11.0;AttachDbFilename=|DataDirectory|Data.mdf;Integrated Security=True");
    SqlDataAdapter sda = new SqlDataAdapter("Select Role from Login Where UserName='" + textBox1.Text + "' and Password='" + textBox2.Text + "'   ",con);
    DataTable dt = new System.Data.DataTable();
    sda.Fill(dt);
    if(dt.Rows.Count == 1)
    {
        switch (dt.Rows[0]["Role"] as string)
        {
            case "Admin":
                {
                    this.Hide();
                    AdminMenu ss = new AdminMenu();
                    ss.Show();
                    break;
                }

            case "Client":
                {
                    this.Hide();
                    MenuForm mf = new MenuForm();
                    mf.Show();
                    break;
                }
            default:
                {
                    MessageBox.Show("Please contact your administrator");
                    break;
                }
        }
    }
    else
    {
        MessageBox.Show("Login Details are incorrect.");
    }
}

Now if the case is where it is neither a Client nor a Admin you can just show a MessageBox.

And definitely your code need to be prevent from SQL injection

Community
  • 1
  • 1
Mohit S
  • 13,723
  • 6
  • 34
  • 69
  • I tried your suggestion Mohit Shrivastava but nothing happens if i type incorrect username or password, i just end up staying on login form but no messagebox displays. – reddevil54 Nov 17 '15 at 13:49
  • just figured out how to do it using some of your suggestion thank you for answer. – reddevil54 Jan 13 '16 at 22:02