0

I have created a simple program with log in form. It works in a very simple way but I observed that when logging in, it is not case sensitive. For example if my username is Test and I would log in using test it would still be accepted.

SqlConnection connect = new SqlConnection("Data Source=LAFAYETTE-PC;Initial Catalog=Thesis;Integrated Security=True");
connect.Open();
SqlCommand command = new SqlCommand("SELECT * FROM AdminCredentials WHERE Username = '" + LogInUsername.Text + "' AND Password  = '" + LogInPassword.Text + "' ", connect);
SqlDataReader reader;
reader = command.ExecuteReader();
int count = 0;
while (reader.Read())
{
    count += 1;
}

if (count == 1)
{
    MessageBox.Show("Successfully Logged In!");
    MainForm form2 = new MainForm();
    form2.ShowDialog();
}
else if (count > 0)
{
    MessageBox.Show("Incorrect username and passsword");
}
else
{
    MessageBox.Show("Username or password is incorrect");

}

any ideas? Help would be greatly appreciated!

Simon Karlsson
  • 4,090
  • 22
  • 39
Yvon Bianco Lafayette Alenko
  • 3
  • 1
  • 1
    You may consider the following : [How to do a case sensitive search in WHERE clause](http://stackoverflow.com/questions/1831105/how-to-do-a-case-sensitive-search-in-where-clause-im-using-sql-server) – Hamed Salameh Feb 22 '16 at 15:06
  • 4
    you've got a serious SQL injection problem. – George Stocker Feb 22 '16 at 15:06
  • The injection problem is an issue but the entire way you are handling passwords is problematic. They should be salted and hashed instead of stored in plain text. Not only would this protect the passwords, you would also have the answer to making your passwords case sensitive. – Sean Lange Feb 22 '16 at 15:09
  • You shouldn't be worried about case sensitive user names when you're storing clear text passwords and have some delicious delicious sql injection vulnerabilities. https://en.wikipedia.org/wiki/SQL_injection – Kritner Feb 22 '16 at 15:10

1 Answers1

0

append " COLLATE Latin1_GENERAL_CS_AS" to your query

new SqlCommand("SELECT * FROM AdminCredentials WHERE Username = '" + LogInUsername.Text + "' AND Password  = '" + LogInPassword.Text + "'  COLLATE Latin1_GENERAL_CS_AS"

and read about Sql Injection...

António Campos
  • 171
  • 2
  • 12