C# and database

Harry2000

I have a window form name Login and a database with a Table name Login it has two fleids usernm, pwd. usernm is to hold user names and pwd is to hold password. Ok on the form I have two text box name user_name and user_password. And two buttons. I want this to check the user name and pasword. I have made a sqlConnection name sqlConn. I have made a sqlCommand name sqlcommand1; I have made a sqlDataReader name dataReader. here is my part of my code. What am I doing wrong with my string? void check_password() { string query = string.Format(S"SELECT * FROM BankLogin where usernm= '{0}' and pwd= '{1}'", user_name.Text, user_password); sqlConn.Open(); sqlcommand(query, sqlConn); slqcommand1.ExecuteReader(); } Harrison Brock

Heath Stewart

How can we even know what's wrong if you don't tell us what exception you're getting? I will say this, though: don't create SQL statements using string formatting anymore! That's an old hack that is riddled with encoding problems. What if the username and/or password contains a double or single quote? This forces you to have to encode the strings yourself. Instead, use parameterized queries, which are much more elegant, powerful, and allow for easy batch updates. Use the appropriate DbParameter derivative class. So, if you're using System.Data.SqlClient.SqlCommand, then use the System.Data.SqlClient.SqlParameter. You declare the parameters using "@name" and then you can set their values at any time before executing the statement and can even receive output parameters (if the OLE DB driver supports it). So, you're statement becomes this:

SqlConnection conn = new SqlConnection(
"Data Source=COMPUTERNAME; Initial Catalog=DBName; Integrated Security=SSPI");
SqlCommand cmd = conn.CreateCommand();
cmd.CommandText = "SELECT * FROM BankLogin WHERE usernm=@usernm AND pwd=@pwd";
SqlParameter usernm = cmd.Parameters.Add("@usernm", SqlDbType.NVarChar, 40);
SqlParameter pwd = cmd.Parameters.Add("@pwd", SqlDbType.NVarChar, 40);
SqlDataReader reader = null;
try
{
usernm.Value = "username";
pwd.Value = "password";
reader = cmd.ExecuteReader();
}
catch (Exception ex)
{
Console.Error.WriteLine("Error: {0}", ex.Message);
}
finally
{
if (reader != null) reader.Close();
conn.Close();
}

You don't have to worry about encoding the text and you can simply change the values and run the query again if needs be. See the documentation for the SqlDataReader in the .NET Framework SDK for more information and examples.

Microsoft MVP, Visual C# My Articles

ingramj

G'Day Harrison I cant help you with the question that you asked but I can tell you something that will help you down the track: I recently tried to do the same thing and store a users login information in a database. This is bad practice because the users information can be easily read from the database! You should use encrytion and decryption. Jon