what is wrong in this code
-
private void button1_Click(object sender, EventArgs e) { string strDSN = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=c:\\db4.MDB"; string strSQL = "SELECT * FROM ta1"; OleDbConnection myConn = new OleDbConnection(strDSN); OleDbDataAdapter myCmd = new OleDbDataAdapter(strSQL, myConn); DataSet dtSet = new DataSet(); string sqlQuery = "SELECT Name,Password FROM ta1 where Name = '" + textBox1.Text.ToString() + "' AND Password= '" + textBox2.Text.ToString() + "'"; myCmd.SelectCommand.CommandText = sqlQuery; int numberOfRowsFeched = myCmd.Fill(dtSet, "ta1"); if (numberOfRowsFeched > 0) { try { myCmd.UpdateCommand.CommandText = "UPDATE Users SET " + "Password = '" +textBox3.Text + "'" + " WHERE Name = '" + textBox1.Text + "'"; myCmd.UpdateCommand.Connection = myConn; myCmd.UpdateCommand.ExecuteNonQuery(); MessageBox.Show("Record updated Successfully"); textBox1.Text = ""; textBox2.Text = ""; textBox3.Text = ""; } catch (System.Data.OleDb.OleDbException exp) { myConn.Close(); MessageBox.Show(exp.Message); } } else { MessageBox.Show("wrong Name Or Password", "Password", MessageBoxButtons.OK, MessageBoxIcon.Information); textBox1.Text = ""; textBox2.Text = ""; textBox3.Text = ""; } message : http://www.cpestudents.net/upload/up/54.gif[^]
-
private void button1_Click(object sender, EventArgs e) { string strDSN = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=c:\\db4.MDB"; string strSQL = "SELECT * FROM ta1"; OleDbConnection myConn = new OleDbConnection(strDSN); OleDbDataAdapter myCmd = new OleDbDataAdapter(strSQL, myConn); DataSet dtSet = new DataSet(); string sqlQuery = "SELECT Name,Password FROM ta1 where Name = '" + textBox1.Text.ToString() + "' AND Password= '" + textBox2.Text.ToString() + "'"; myCmd.SelectCommand.CommandText = sqlQuery; int numberOfRowsFeched = myCmd.Fill(dtSet, "ta1"); if (numberOfRowsFeched > 0) { try { myCmd.UpdateCommand.CommandText = "UPDATE Users SET " + "Password = '" +textBox3.Text + "'" + " WHERE Name = '" + textBox1.Text + "'"; myCmd.UpdateCommand.Connection = myConn; myCmd.UpdateCommand.ExecuteNonQuery(); MessageBox.Show("Record updated Successfully"); textBox1.Text = ""; textBox2.Text = ""; textBox3.Text = ""; } catch (System.Data.OleDb.OleDbException exp) { myConn.Close(); MessageBox.Show(exp.Message); } } else { MessageBox.Show("wrong Name Or Password", "Password", MessageBoxButtons.OK, MessageBoxIcon.Information); textBox1.Text = ""; textBox2.Text = ""; textBox3.Text = ""; } message : http://www.cpestudents.net/upload/up/54.gif[^]
-
private void button1_Click(object sender, EventArgs e) { string strDSN = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=c:\\db4.MDB"; string strSQL = "SELECT * FROM ta1"; OleDbConnection myConn = new OleDbConnection(strDSN); OleDbDataAdapter myCmd = new OleDbDataAdapter(strSQL, myConn); DataSet dtSet = new DataSet(); string sqlQuery = "SELECT Name,Password FROM ta1 where Name = '" + textBox1.Text.ToString() + "' AND Password= '" + textBox2.Text.ToString() + "'"; myCmd.SelectCommand.CommandText = sqlQuery; int numberOfRowsFeched = myCmd.Fill(dtSet, "ta1"); if (numberOfRowsFeched > 0) { try { myCmd.UpdateCommand.CommandText = "UPDATE Users SET " + "Password = '" +textBox3.Text + "'" + " WHERE Name = '" + textBox1.Text + "'"; myCmd.UpdateCommand.Connection = myConn; myCmd.UpdateCommand.ExecuteNonQuery(); MessageBox.Show("Record updated Successfully"); textBox1.Text = ""; textBox2.Text = ""; textBox3.Text = ""; } catch (System.Data.OleDb.OleDbException exp) { myConn.Close(); MessageBox.Show(exp.Message); } } else { MessageBox.Show("wrong Name Or Password", "Password", MessageBoxButtons.OK, MessageBoxIcon.Information); textBox1.Text = ""; textBox2.Text = ""; textBox3.Text = ""; } message : http://www.cpestudents.net/upload/up/54.gif[^]
mm310 wrote:
what is wrong in this code
You have left it wide open to SQL Injection Attacks. While the other response you got will apparently fix your problem it still leaves your code open to attack. You should read: SQL Injection Attacks and Tips on How to Prevent Them[^] This will explain a better way to perform your queries that will solve your problem AND make your code safer - Especially for code dealing with a login. What you have here is unforgivable and any tutorial that you have read that suggests you build SQL this way should be recalled and the author lined up and shot! (in my opinion). No wonder Software Developers have a bad reputation when it comes to security if developers think that concatenating strings together to form a SQL query is acceptable on a day-to-day basis. String concatenation as a way to build a SQL statement should only be done after careful consideration that there is absolutely no other way to achieve the desired result. Sorry for my rant. It isn't your fault - You've obviously read the wrong tutorials and have picked up some extremely dangerous habits. ColinMackay.net Scottish Developers are looking for speakers for user group sessions over the next few months. Do you want to know more?
