Member Avatar for Haquo

Hello all, I was hoping You could help me with this. The code below is for the login screen in my project.
the data is selected from UsersList (UserID,FirstName,LastName,UserDOB,UserUsername,UserPassword,UserAdmin)
What way can I modify the "cmd" command to check if the value for UserAdmin is true and display a message box saying "admin" if the value is true ?

namespace Transport_Management_System_Tools
{
    public partial class LoginPage : Form
    {
        public LoginPage()
        {
            InitializeComponent();
        }
        private void LoginPage_Load(object sender, EventArgs e)
        {

        }
        private void btnLogin_Click(object sender, EventArgs e)
        {
            OleDbDataAdapter dataAdapter;
            sqlConnector Connector = new sqlConnector();
            OleDbConnection connection;
            connection = new OleDbConnection(@"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=Database.accdb;Persist Security Info=False");
            connection.Open();
            DataTable dataTable = new DataTable();
            DataTable adminTable = new DataTable();
            OleDbCommand cmd = new OleDbCommand("SELECT UserUsername,UserPassword,UserAdmin FROM UsersList WHERE UserUsername='" + txtboxLogin.Text + "'AND UserPassword='" + txtboxPassword.Text + "'", connection);
            dataAdapter = new OleDbDataAdapter(cmd);
            dataAdapter.Fill(dataTable);

            if (dataTable.Rows.Count > 0)
            {
                this.Hide();
                Main main = new Main();
                main.Show();
            }
            else
            {
                MessageBox.Show("Incorrect Username or Password");
            }
        }



    }
}
  • 2 Contributors
  • 1 Reply
  • 2K Views
  • 5 Hours Discussion Span
  • Latest Post Latest Post by akvasov
Member Avatar for akvasov

First: do not use SQL like this one:
"SELECT UserUsername,UserPassword,UserAdmin FROM UsersList WHERE UserUsername='" + txtboxLogin.Text + "'AND UserPassword='" + txtboxPassword.Text + "'"
you must use query parameter everywhere to avoid SQL injection.

Second: password should be at least encoded in database. The best practice to only store password hash, but not exact password.

Last: you don't need to modify "cmd" you can get first row from datatable and check UserAdmin field.

            if (dataTable.Rows.Count > 0)
            {
                bool isAdmin = (bool)dataTable.Rows[0]["UserAdmin"];
            }
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.