-1

I got a project for school and I wanted to create a login form in visual studio. This error appeared. How can I solve this? on the OleDbDataReader rdr = cmd.ExecuteReader(); i got the System.Data.OleDb.OleDbException: 'No value given for one or more required parameters. error and i have no idea why because it is the same as another project that worked. My database is in the bin folder of the project. Help me

    OleDbConnection con = new OleDbConnection();
    public Autentificare()
    {
        InitializeComponent();
        con.ConnectionString = @"Provider=Microsoft.ACE.OLEDB.12.0; Data Source=" + Environment.CurrentDirectory + @"\Librarie.accdb";
    }

    private void buttonautentificare_Click(object sender, EventArgs e)
    {
        if (textBoxparola.Text != "" && textBoxid.Text != "")
        {

            con.Open();
            int ct = 0, id = 0;
            string sql = "select ID_client from Clienti where Parola='" + textBoxparola.Text + "' and E-mail='" + textBoxid.Text + "'";
            OleDbCommand cmd = new OleDbCommand(sql, con);
            OleDbDataReader rdr = cmd.ExecuteReader();

            while (rdr.Read())
            {
                ct++;
                id = int.Parse(rdr[0].ToString());
            }
            if (ct>0)
            {
                MessageBox.Show("Autentificare cu succes!");
                Optiuni f = new Optiuni(id);
                this.Hide();
                f.ShowDialog();

                con.Close();

            }

            else
            {
                MessageBox.Show("Date incorecte!");
                textBoxid.Text = textBoxparola.Text = "";
                con.Close();
            }
        }
    }

} }

Illithya
  • 1
  • 1
  • 1
    The `@` symbol is a place holder for parameters in parameterized queries. And this (parameterized queries) is what you should use anyway instead of inserting user input directly into your query. Your code is vulnerable to [SQL Injection](http://www.bobby-tables.com)! – René Vogt Apr 09 '18 at 12:00
  • 2
    Learn to use parameterized commands. – ngeksyo Apr 09 '18 at 12:01
  • 1
    Usually this means that the table or one of your fields doesn't exist. Check the exact spelling of ID_Client, Clienti, E-Mail and Parola. Particularly problematic is your E-Mail field. Enclose it in square brackets [E-Mail] and finally follow the advice from @RenéVogt Use a parameterized query – Steve Apr 09 '18 at 12:01
  • 1
    What is the **exact** value of `sql`? – mjwills Apr 09 '18 at 12:02
  • @mjwills sql="select ID_client from Clienti where Parola='" + textBoxparola.Text + "' and E-mail='" + textBoxid.Text + "'"; – Illithya Apr 09 '18 at 12:19
  • 1
    I am not asking what the line of code is. I am asking for the **value**. Let's say the line of code was `int bob = 1 + 1;` In that case the value of `bob` is `2`. When you run the code, and the exception is thrown, hover over `sql`. What is its **value**? – mjwills Apr 09 '18 at 12:21
  • what are the value of both of the textboxes – Andrey Kaplun Apr 09 '18 at 12:26

1 Answers1

2

Your problem is caused by the field named E-mail. This is parsed by the Jet engine as an expression: E minus mail and because you don't have any field named E or mail then the Jet engine expects that you give it some parameters for those two words.

You should change your query to 

string sql = @"select ID_client from Clienti 
               where Parola=@parola
                 and [E-mail]=@mail";
OleDbCommand cmd = new OleDbCommand(sql, con);
cmd.Parameters.Add("@parola", OleDbType.VarWChar).Value = textBoxparola.Text;
cmd.Parameters.Add("@mail", OleDbType.VarWChar).Value = textBoxid.Text;

using(OleDbDataReader rdr = cmd.ExecuteReader())
  .....

The problematic field name should be changed in the database table or you need to encapsulate it between square brackets to avoid parsing errors.
Notice also that you should never never concatenate strings to form sql commands. This is a well known way to allow an Sql Injection hack and while Access is more difficult to exploit it is however a good practice to always use parameterized queries. Also without parameters your query will fail simply if someone insert a single quote in the two textboxes used for the query text.

Steve
  • 213,761
  • 22
  • 232
  • 286
  • 1
    You should also mention that by using parameters instead of literal values inside query statements you protect your code against sql injection attacs. – Alexander Powolozki Apr 09 '18 at 12:32
  • @AlexanderPowolozki just a lot of text to write. Added now – Steve Apr 09 '18 at 12:33
  • Also parameters for MS Access are not named, they are position based. So the order they appear in the query is the same order they must be added in the `Parameters` collection. The name has no meaning to the execution context. – Igor Apr 09 '18 at 12:40
  • @Steve Seems the problem was with the E-mail field. Changed its name to Email and it now works. Thank you so much – Illithya Apr 09 '18 at 12:52
  • 2
    Yes, that was pretty simple, but really use parameters now and in future. Do not write commands concatenating strings, look at what happens if you put a single quote in one of your textboxes, even if you don't have data with single quotes to search for – Steve Apr 09 '18 at 12:54