-1
private void btnLogin_Click(object sender, EventArgs e)
    {
        connection.Open();
        OleDbCommand command = new OleDbCommand();
        command.Connection = connection;
        command.CommandText = "select * from Cafelist where Username = '" + txtUsn.Text + "' and Password = '" + txtPass.Text + "'";
        OleDbDataReader reader = command.ExecuteReader();

        int count = 0;

        while (reader.Read())
        {
            count = count + 1;
        }
        if(count ==1)
        {
            MessageBox.Show("Username and password is correct");
        }
        else if (count > 1)
        {
            MessageBox.Show("Duplicate Found");
        }
        else
        {
            MessageBox.Show("Username/Password Incorrect");
        }


        connection.Close();
    }

trying to use this code to pull usn and pass for login, and get this error, tried looking around for a solution but haven't found any similar to my issue, i understand this is probably something really basic but please go easy as i've only been playing around with c# a couple weeks and this is my first attempt at using databases.

not trying to do any security features just trying to work out why when i enter text and click login this error appears, i have been following a youtube video try and self teach (as much as you can with this subject) however he doesn't hit this error and i have googled myself into oblivion.

thanks in advance, anymore information required let me know as this is my first time posting.

Mutl3y
  • 3
  • 2
  • if the error message you get really originates from this bit of code, it must be related to the contents of the textboxes at runtime. you need to use parameters for user name and password, not inject their values into the SQL string: this is called a [sql injection vulnerability](https://stackoverflow.com/a/7505842/1132334) and is probably the most frequent beginner's mistake with SQL queries. The "duplicate found" logic is moot, applications should not care whether or not multiple users have the same password. unique user names alone can be enforced by a unique key. – Cee McSharpface Dec 07 '18 at 11:18
  • I really hope you're not storing passwords as plain text. You should be hashing a salted password before storing it in a database for any decent level of security. – T_Bacon Dec 07 '18 at 11:23
  • Possible duplicate of [What are good ways to prevent SQL injection?](https://stackoverflow.com/questions/14376473/what-are-good-ways-to-prevent-sql-injection) – mjwills Dec 07 '18 at 11:29
  • i run the program and it lets me enter the usn and password but then pops up with the error instantly . Tbacon i am currently storing as plain text as this is just something im playing with at home to get used tot he basics before starting to add security measures to the passwords. @mjwills OleDbDataReader reader = command.ExecuteReader(); is whats throwing me the error – Mutl3y Dec 07 '18 at 11:34
  • https://stackoverflow.com/questions/7528302/debugging-how-do-i-execute-code-line-by-line may assist you finding the line that throws the exception. – mjwills Dec 07 '18 at 11:37
  • BTW, there is a 99.99% chance that the issue is how you are constructing the SQL. You should read my earlier duplicate link. – mjwills Dec 07 '18 at 11:43
  • Im using access and saving as 2002-2003, connection.ConnectionString = @"Provider = Microsoft.Jet.OLEDB.4.0; Data Source = C:\Program Files (x86)\Microsoft Visual Studio\CafeDB1.mdb"; not sure if this is the value you mean ? , sorry i genuinely am really new to this and trying to teach myself with youtube videos. – Mutl3y Dec 07 '18 at 11:46
  • What is the value of `command.CommandText` (check it in the `Immediate Window`)? – mjwills Dec 07 '18 at 11:50
  • "select * from Cafelist where Username = '" + txtUsn.Text + "' and Password = '" + txtPass.Text + "'"; , is this what you need ? – Mutl3y Dec 07 '18 at 11:53
  • https://blogs.msdn.microsoft.com/devops/2016/07/15/7-ways-to-look-at-the-values-of-variables-while-debugging-in-visual-studio/ – mjwills Dec 07 '18 at 12:05
  • A couple of guesses. Is the database you are connecting to MS Access? If so, are you totally sure that your CafeList table has fields called Username and Password? You will get the error you describe from Access, if one of these fields is incorrectly named. – Jonathan Willcock Dec 07 '18 at 13:31

1 Answers1

1

You need to insert the parameters to be replaced on your query for your actual values, query and parameters are separated on the OleDbCommand, try replacing your cmd.CommandText like this

 command.CommandText = "select * from Cafelist where Username = @UserName and Password = @UserPass";

Then you need to give the parameters to the cmd like this:

cmd.Parameters.AddRange(new OleDbParameter[]
{
     new OleDbParameter("@UserName", txtUsn.Text),
     new OleDbParameter("@UserPass", txtPass.Text),
               ...
});
Diego Osornio
  • 835
  • 1
  • 10
  • 20
  • Sorry just noticed my reply had not posted, thanks for this, solved the issue straight away :) – Mutl3y Dec 09 '18 at 19:27