Recieving error: unhandled exception...
-
Topic cont'd... of type 'System.Data.Odbc.OdbcException' occurred in system.data.dll Additional Information : System error First of all hello, this is my first post, great site here, seems like their a lot of knowledgable people. Anyway I am just beginning to learn C#. I am creating a program for where I work for employees to login with a username and password and after successfully logging in they can clock in and clock out. I am working on the login page first, known as form1 in my project. When the user clicks the "Login" button(known as button1) I would like it to load the next form where the user will be able to clock in and clock out. All the usernames and passwords are on a Access table. They will not be able to create their own but just use the preset ones. I want the program to check if what the user entered in as the username and password match whats on the table and if it does not, then it will display an error. Here is a little snip of my code and I will point out which line the error points to:
public void button1_Click(object sender, System.EventArgs e) { OdbcDataReader myReader; string myConnString = "DSN=MS Access Database;DefaultDir=C:\\DOCUMENTS AND SETTINGS\\OWNER\\MY DOCUMENTS;DriverId=25;DBQ=C:\\DOCUMENTS AND SETTINGS\\OWNER\\MY DOCUMENTS\\login.mdb;MaxBufferSize=2048;FIL=MS Access;PageTimeout=5;UID=admin"; //string password; string mySelectQuery = "SELECT Username, Password FROM tblLogin WHERE Username = " + txtUserName.Text; OdbcConnection myConnection = new OdbcConnection(myConnString); OdbcCommand myCommand = new OdbcCommand(mySelectQuery,myConnection); myConnection.Open(); [CODE]myReader = myCommand.ExecuteReader();[/CODE] while(myReader.IsDBNull(0)) { lblErrorUser.Visible=true; }The error points to the myReader = myCommand.ExecuteReader() line. It does open the connection fine but when I click the Login button the error above comes up. If I comment in that line(using //) and the while loop, the program runs fine, well doesnt do what I want it to do but when I click the Login button it opens form2. I believe it has something to do with the myReader variable. I have declared it as OdbcDataReader myReader where I have all my functions declared. I just noticed that their is a blue squiggly under the myReader where its declared. Also, just want to mention that before this 'system error' I was recieving the following error: Exception Details: System.NullReferenceException: Object reference not set to an instance of a -
Topic cont'd... of type 'System.Data.Odbc.OdbcException' occurred in system.data.dll Additional Information : System error First of all hello, this is my first post, great site here, seems like their a lot of knowledgable people. Anyway I am just beginning to learn C#. I am creating a program for where I work for employees to login with a username and password and after successfully logging in they can clock in and clock out. I am working on the login page first, known as form1 in my project. When the user clicks the "Login" button(known as button1) I would like it to load the next form where the user will be able to clock in and clock out. All the usernames and passwords are on a Access table. They will not be able to create their own but just use the preset ones. I want the program to check if what the user entered in as the username and password match whats on the table and if it does not, then it will display an error. Here is a little snip of my code and I will point out which line the error points to:
public void button1_Click(object sender, System.EventArgs e) { OdbcDataReader myReader; string myConnString = "DSN=MS Access Database;DefaultDir=C:\\DOCUMENTS AND SETTINGS\\OWNER\\MY DOCUMENTS;DriverId=25;DBQ=C:\\DOCUMENTS AND SETTINGS\\OWNER\\MY DOCUMENTS\\login.mdb;MaxBufferSize=2048;FIL=MS Access;PageTimeout=5;UID=admin"; //string password; string mySelectQuery = "SELECT Username, Password FROM tblLogin WHERE Username = " + txtUserName.Text; OdbcConnection myConnection = new OdbcConnection(myConnString); OdbcCommand myCommand = new OdbcCommand(mySelectQuery,myConnection); myConnection.Open(); [CODE]myReader = myCommand.ExecuteReader();[/CODE] while(myReader.IsDBNull(0)) { lblErrorUser.Visible=true; }The error points to the myReader = myCommand.ExecuteReader() line. It does open the connection fine but when I click the Login button the error above comes up. If I comment in that line(using //) and the while loop, the program runs fine, well doesnt do what I want it to do but when I click the Login button it opens form2. I believe it has something to do with the myReader variable. I have declared it as OdbcDataReader myReader where I have all my functions declared. I just noticed that their is a blue squiggly under the myReader where its declared. Also, just want to mention that before this 'system error' I was recieving the following error: Exception Details: System.NullReferenceException: Object reference not set to an instance of aThe problem you're having is that
Usernameis a string field, so you need to quote your field:"SELECT Username, Password FROM tblLogin WHERE Username = '" + txtUIserName.Text + "'"
BUT NEVER, EVER build SQL expressions using concatenation. Sorry, but that isn't very smart at all. What if I pass "blah' AND 1=1; drop table tblLogin" from your
TextBox? Bye bye login table. It's even worse that you store passwords in plain text. I could, instead, select all those and impersonate any user on your system. Can you say "lawsuits"? Read http://www.codeproject.com/script/comments/forums.asp?msg=932507&forumid=1649&XtraIDs=1649&searchkw=parameterized&sd=7%2F8%2F2004&ed=10%2F6%2F2004#xx932507xx[^] for other problems and more things I could do using your SQL concatenation code. ALWAYS use parameterized queries. Read the link above for an example, or theOleDbParameterclass documentation in the .NET Framework SDK. Also, your expression is very insecure besides not using parameterized queries. Don't select the password as part of the result set. Send the password and use it in the WHERE clause like so:SELECT COUNT(*) FROM tblLogin WHERE Username = ? AND Password = ?
In fact, even that's bad. You should never store passwords in plain text. Hash them using a one-way algorithm like MD5 or SHA1, both of which are supported by the .NET Framework base class libraries (see the
MD5andSHA1class). Hash the password before sending it to the database server (and I assume this is actually for an ASP.NET application, which belongs in the ASP.NET forum but I'll continue anyway) or across the wire, then compare that to the hash you store in the Password field (using the same query as above). In fact, even that's insecure. It's subject to replay attacks where someone sniffs your password and while they might not be able to unhash or decrypt it (at least with a given amount of time and resources), they could simply capture the packets, play them back, and you've been 0wned. Instead, store a salt, send it to the client, hash your password + the salt value and s