0

I'm having an issue with an if statement in my code which for the life of me I can't figure out why the condition isn't coming back true. 

private bool ValidationFunction(string UserName, string Password)
{
    bool returnBool = false;

    var strConnection = ConfigurationManager.ConnectionStrings["BankConnectionString"].ConnectionString;
    SqlConnection sqlConnection = new SqlConnection(strConnection);

    string query = "SELECT " + COLUMN_ID + ", " + COLUMN_MACHINEPIN + " FROM " + PERSON_TABLE + " WHERE " + COLUMN_ID + " = \'" + UserName + "\' AND " + COLUMN_MACHINEPIN + " = \'" + Password + "\'";
    SqlCommand command = new SqlCommand(query, sqlConnection);
    SqlDataReader rdr;

    sqlConnection.Open();
    rdr = command.ExecuteReader();

    while(rdr.Read())
    {
        if (UserName == rdr["Id"].ToString() & Password == rdr["MachinePin"].ToString())
        {
            returnBool = true;
        }

        return returnBool;
    }
    rdr.Close();
    return returnBool;
}

I have tried using both the name of the column and the constant I used in the query but neither works and I can't quite get it work. Any help would be appreciated

EDIT: Turns out that the data I was retrieving from the database had extra white space because I had used an nchar so I had to use the trim function.

SirTeddyHaughian
  • 3
  • 2
  • you the "&&" operator instead of single "&" – Dileep May 30 '17 at 14:25
  • You should look into parameterization. If you concatenate your query like this, you are open for sql injection attacks. I find it also helps debugging a lot. – HoneyBadger May 30 '17 at 14:26
  • I have changed the operator and it's still not working. Thanks for the suggestion though :) This is my first year of college in software development so we're still learning a lot – SirTeddyHaughian May 30 '17 at 14:30

3 Answers3

1

You should use && not &.

& is a bit-wise "AND", meaning that it works on the bit level, whereas && is a logical "AND" meaning it works at boolean (true/false) level.

I'd also clean up your code a bit. By not parameterizing your inputs, you are opening yourself up to SQL Injection attacks.

You can also wrap your disposable objects in using blocks. It will make your code cleaner and more readable.

using (var conn = new SqlConnection("your connection"))
{
  using (var cmd = new SqlCommand(sql, conn))
  {
    conn.Open();
    using (var rdr = cmd.ExecuteReader())
    {
      ...
    }
  }
}
William Xifaras
  • 5,212
  • 2
  • 19
  • 21
0

Try this:

   var username = rdr["Id"].ToString() 
   var password = rdr["MachinePin"].ToString())
   Debugger.Break();

At the debugger statement open up the immediate windows and manually type in the comparisons until you determine root cause.

UserName==username;
Password = password;

Debuging Tips

Do you know how to open the Immediate Window? Go to Debug/Windows/Immediate. It allows you to type in C# statement at the debug point.

No Data can be read

If rdr["Id"] cannot be read e.g InvalidOperation etc. Then you have one of the following issues:

  1. Connection string never opened connection
  2. Wrong Database/Table
  3. Incorrect Field Name
  4. Security failure.

You should check status codes for each of your steps, if you are not seeing anything then this is most likely a security issue because banks don't advertise what went wrong (makes sense don't tell hackers anything).

Security Issue

If it's security issue you have to drop down to wire level. Take a trace and look at the Return codes. The other side will Fin the session first. You should see a security layer handshake prior to open communications, if that handshake doesn't work the session is immediately terminated with no further detail.

Tracing

Wireshark is simple to use, quick to download and shows everything on the wire. Use Wireshark to further dive into things the application layer cannot see.

JWP
  • 6,672
  • 3
  • 50
  • 74
  • Once my program gets to var username = rdr["Id"].ToString() I get an InvalidOperationException telling me the "Invalid attempt to read when no data is present" So I presume the data is not being read from the database ? – SirTeddyHaughian May 30 '17 at 14:54
  • Ok this tells me you need to back up a bit, perhaps the connection string is bad, or maybe the attempt to read was rejected. At this point I would do two things, determine if the connection was made, and if there are any error codes coming back post connection all the way up to the read. Those error codes should tell you what you need to know. For Banks, they are super secure... You are probably hitting a security feature... Just guessing. – JWP May 30 '17 at 15:12
  • If it makes any difference I am able to execute inserts to the database and can see the new values but I just can't read from it – SirTeddyHaughian May 30 '17 at 15:55
  • Ok next step is to drop to the wire layer, or look very closely at any exceptions when trying to read a record. I am guessing that the read is either malformed or dissallowed. If you run a wire shark trace tell us what the last read request returned from the host side? – JWP May 30 '17 at 18:12
0

Try the below: 

 if ((UserName == (string)rdr["Id"]) && (Password == (string)rdr["MachinePin"]))
            {
                returnBool = true;
            }
jamiedanq
  • 967
  • 7
  • 12