0

I have a login window in which the user should enter the user ID and password if the textBoxes are empty or the entered values are incorrect then the program should catch this showing an error message
I have written this code but it works only when the two textBoxes are empty whereas in the case of one of the textBoxes is empty or value entered for ID or password is incorrect the program stands with no reaction .. what is wrong with my codes .. regards 

 private void loginbtn_Click(object sender, EventArgs e)
        { 
            try {
                id = Convert.ToInt32(empIdtxt.Text);
                cn.Open();
                SqlCommand cmd = new SqlCommand("select empId,empPass from emp where empId='" + empIdtxt.Text + "' and empPass='" + passtxt.Text + "'", cn);
                SqlDataAdapter da = new SqlDataAdapter(cmd);
                DataTable dt = new DataTable();
                da.Fill(dt);
                if (dt.Rows.Count > 0)
                {
                    SqlCommand cmd2 = new SqlCommand("insert into empLogin (empId,empPerm) select empId,empPerm from emp where empId='" + empIdtxt.Text + "'", cn);
                    cmd2.ExecuteNonQuery();
                    MainFrm mainfrm = new MainFrm(id);
                    mainfrm.Show();
                    this.Hide();
                }

            }
            catch
            {
                MessageBox.Show("User ID or password invalid or incorrect","Invalid ID or password",MessageBoxButtons.OK,MessageBoxIcon.Warning);
            }
            finally
            {
                cn.Close();
            }
Mouad Raizada
  • 127
  • 2
  • 15
  • if no valid employee is found than your code does nothing because you have no else for your if (dt.Rows.Count > 0) There will be no error so you will not go into the catch. – GuidoG Sep 29 '16 at 09:24

1 Answers1

0

You are missing the else block of if (dt.Rows.Count > 0). Also it is a good practice to use bind variables instead of embedding values into the query.

Community
  • 1
  • 1
Halis S.
  • 446
  • 2
  • 11
  • should I write my error message in else statement instead of catch block? – Mouad Raizada Sep 29 '16 at 09:24
  • finding no employee is no error, so you will not get into the catch block. So yes you need to show message in else statement – GuidoG Sep 29 '16 at 09:25
  • `Catch` block will prevent invalid input values like nulls and non-integer ids. You must add `else` block to handle when no rows return from database. – Halis S. Sep 29 '16 at 09:26
  • but much more important is to use parameters to build your query in stead of building your query like this. This is open to the oldest security issue that exists, sql injection. Your login form is very insecure like this – GuidoG Sep 29 '16 at 09:27
  • @GuidoG if I want to show the specific error such the user ID is incorrect or a password is incorrect then how can I do this? – Mouad Raizada Sep 29 '16 at 09:29
  • You should handle it in the else block – Halis S. Sep 29 '16 at 09:30
  • @Tima'aTamim Dont do that. Do not give hints to hackers to what is wrong the user or the pass. – GuidoG Sep 29 '16 at 09:31