vb.net with login form using sql?!?!?

Question

Smalls 2 Junior Developer

12 Years Ago

What I'm trying to do is have a login type windows form to take a user name and password then compare these with data in the db then open an admin type form. I've been trying to get this to work for a few days now with no luck, about 90% of the code below is a peice together from various forums trying to get it to work.

i no longer get an error 26 connection cant be made or what may have you, but now i get "Login failed for user ''.", not quite should what this means or how to go about it

Private Sub LoginB_Click(sender As System.Object, e As System.EventArgs) Handles LoginB.Click
        Try
            Dim con As New SqlConnection("Data Source=.\SQLEXPRESS;Database=C:\tcdb\tcdb.sdf;")
            Dim cmd As New SqlCommand("SELECT Username, Password FROM(Users) WHERE (Username = '" & UserTXT.Text & "') AND (Password = '" & PassTXT.Text & "')", con)
            con.Open()
            Dim sdr As SqlDataReader = cmd.ExecuteReader()
            ' If the record can be queried, it means passing verification, then open another form.   
            If (sdr.Read() = True) Then
                MessageBox.Show("The user is valid!")
                Admin.Show()
                Me.Hide()
            Else
                MessageBox.Show("Invalid username or password!")
            End If
            con.Close()
        Catch ex As Exception
            MessageBox.Show(ex.Message)
        End Try

ps. sdf db has no user/pass needed to open... i think
i didnt set one and the whole app doesnt use one and loads binded data within another form without any problem whatsoever

thanks in adv

sql vb.net

7 Contributors
13 Replies
3K Views
5 Years Discussion Span
Latest Post 7 Years Ago Latest Post by akash_12

poojavb 29 Junior Poster

12 Years Ago

What I'm trying to do is have a login type windows form to take a user name and password then compare these with data in the db then open an admin type form. I've been trying to get this to work for a few days now with no luck, about 90% of the code below is a peice together from various forums trying to get it to work.
i no longer get an error 26 connection cant be made or what may have you, but now i get "Login failed for user ''.", not quite should what this means or how to go about it
Private Sub LoginB_Click(sender As System.Object, e As System.EventArgs) Handles LoginB.Click
        Try
            Dim con As New SqlConnection("Data Source=.\SQLEXPRESS;Database=C:\tcdb\tcdb.sdf;")
            Dim cmd As New SqlCommand("SELECT Username, Password FROM(Users) WHERE (Username = '" & UserTXT.Text & "') AND (Password = '" & PassTXT.Text & "')", con)
            con.Open()
            Dim sdr As SqlDataReader = cmd.ExecuteReader()
            ' If the record can be queried, it means passing verification, then open another form.   
            If (sdr.Read() = True) Then
                MessageBox.Show("The user is valid!")
                Admin.Show()
                Me.Hide()
            Else
                MessageBox.Show("Invalid username or password!")
            End If
            con.Close()
        Catch ex As Exception
            MessageBox.Show(ex.Message)
        End Try
ps. sdf db has no user/pass needed to open... i think
i didnt set one and the whole app doesnt use one and loads binded data within another form without any problem whatsoever
thanks in adv

Try to open the connection before the SQL query....

u have opened the connection after the query

Pgmer 50 Master Poster

12 Years Ago

And also make sure that u have passed the correct credential for server.

Reverend Jim 4,968 Hi, I'm Jim, one of DaniWeb's moderators.

12 Years Ago

Change the statement

Dim cmd As New SqlCommand("SELECT Username, Password FROM(Users) WHERE (Username = '" & UserTXT.Text & "') AND (Password = '" & PassTXT.Text & "')", con)

to remove the parentheses around the table name. The proper syntax is

select field1,field2,etc from table where etc

not

select field1,field2,etc from(table) where etc

jbennet 1,618 Most Valuable Poster

12 Years Ago

Dim cmd As New SqlCommand("SELECT Username, Password FROM(Users) WHERE (Username = '" & UserTXT.Text & "') AND (Password = '" & PassTXT.Text & "')", con)

NO. BAD!
This is open to a SQL Injection Attack. Security hole. Dont simply append the strings. You should be using what is called a prepared statement, with paramaters.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

mani-hellboy -10 Junior Poster in Training · Answer 1 · 2012-02-14T16:58:12+00:00

hey man saw your connection string where your username & pwd and provider

Smalls 2 Junior Developer · Answer 2 · 2012-02-15T10:21:01+00:00

as for connection after query, i dont see it
i updated command syntax
removed parenthesis
mani... i dont understand

still get
Login failed for user ".

completely lost
if anyone has a better way to go about this please feel free

as for me, i think i failed to mention that i am a complete noob with sql!
lol

any help is greatly appreciated
thnx in adv

score 0 · Answer 3 · 2012-02-16T00:59:17+00:00

Reverend Jim 4,968 Hi, I'm Jim, one of DaniWeb's moderators.

12 Years Ago

Can you please elaborate on

prepared statement, with paramaters

Edited 12 Years Ago by Reverend Jim because: n/a

jbennet 1,618 Most Valuable Poster Team Colleague Featured Poster · Answer 4 · 2012-02-16T03:57:58+00:00

Read:
http://en.wikipedia.org/wiki/Prepared_statement
http://en.wikipedia.org/wiki/SQL_injection

If you have, for example,

"SELECT Price FROM Products WHERE ProductName = '" + some_variable + "'";

And i entered into into the product name search box:
"cheese';DROP TABLE Products WHERE '1' = '1"

Then the following code would be executed

"SELECT Price FROM Products WHERE ProductName = 'cheese';DROP TABLE Products WHERE '1' = '1'";

And the table would be dropped! (see how i run my own query there)

Therefore you must use prepared statements and paramaters.

score 0 · Answer 5 · 2012-02-16T04:04:58+00:00

Reverend Jim 4,968 Hi, I'm Jim, one of DaniWeb's moderators.

12 Years Ago

Interesting. Thanks for the post.

Edited 12 Years Ago by Reverend Jim because: n/a

jbennet 1,618 Most Valuable Poster Team Colleague Featured Poster · Answer 6 · 2012-02-16T04:05:41+00:00

jbennet 1,618 Most Valuable Poster

12 Years Ago

This is how 99% of sites get hacked.... Amateur mistake.

score 0 · Answer 7 · 2012-02-16T04:18:19+00:00

Never had to write a user inteface for a database. All of my stuff was automated, infrastructure/data mining/massaging/import/export behind safe firewall stuff. I'm glad I never had to worry about things like that.

Smalls 2 Junior Developer · Answer 8 · 2012-02-16T11:22:39+00:00

the idea that im working with at the moment is to get it to work. then once working, strengthen security from there. but i completely understand your point mr bennet.

but, back to the target subject at hand, am i completely missing what and how sql does what it does or is something off???

sql server configuration manager indicates that sqlexpress is running,
no longer get connection not made, db not found error,
but is now replaces by null user login failed,

total sql noob that got lost somewhere between points a and b! lol

to sum up, all i need is a working model, from there i can build out and up! lol

thank you everyone for your time and thanks for any help in advance, it is greatly appreciated

akash_12 0 Newbie Poster · Answer 9 · 2017-09-13T12:06:12+00:00

Change the statement

Dim cmd As New SqlCommand("SELECT Username, Password FROM(Users) WHERE (Username = '" & UserTXT.Text & "') AND (Password = '" & PassTXT.Text & "')", con)

to remove the parentheses around the table name. The proper syntax is

Dim cmd As New SqlCommand("SELECT Username, Password FROM Users WHERE (Username = '" & UserTXT.Text & "') AND (Password = '" & PassTXT.Text & "')", con)

remove the pranthese from table name..............