public partial class FormLogin : Form
{
private OleDbConnection connection = new OleDbConnection();
//private bool CheckUserName = false;
public FormLogin()
{
InitializeComponent();
connection.ConnectionString = @"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=D:\Class\This Semester\C#\Code\Access Login App\Database1.accdb;Persist Security Info=False;";
}
private void Form1_Load(object sender, EventArgs e)
{
try
{
connection.Open();
DBCheckLabel.Text = "Connected";
connection.Close();
} catch(Exception ex)
{
MessageBox.Show("Error:" + ex);
}
}
private void log_in_btn_Click(object sender, EventArgs e)
{
try
{
OleDbCommand command = new OleDbCommand();
connection.Open();
command.Connection = connection;
command.CommandText = "select * from acctbl where Username=" + txt_bx_Username.Text + "and Password ='" + txt_bx_Password.Text + "';";
OleDbDataReader reader = command.ExecuteReader();
while (reader.Read())
{
string username = reader.GetValue(reader.GetOrdinal("UserName")).ToString();
string password = reader.GetValue(reader.GetOrdinal("Password")).ToString();
if (username.Equals(txt_bx_Username.Text))
{
if (password.Equals(txt_bx_Password.Text))
{
this.Hide();
FormProfile f1 = new FormProfile();
f1.Show();
}
else
MessageBox.Show("Incorrect Pass");
}
else
MessageBox.Show("Incorrect Username");
}
reader.Close();
connection.Close();
}
catch (Exception ex)
{
MessageBox.Show("Error: " + ex);
connection.Close();
}
}
}
Here is the code for Login Page. It goes to next from if the user name and password is correct but don't show message in else block if user name or password not matched.
private void log_in_btn_Click(object sender, EventArgs e)
{
try
{
OleDbCommand command = new OleDbCommand();
connection.Open();
command.Connection = connection;
command.CommandText = "select `UserName`, `Password` from acctbl;";
OleDbDataReader reader = command.ExecuteReader();
while (reader.Read())
{
string username = reader.GetValue(reader.GetOrdinal("UserName")).ToString();
string password = reader.GetValue(reader.GetOrdinal("Password")).ToString();
if (username.Equals(txt_bx_Username.Text))
{
if (password.Equals(txt_bx_Password.Text))
{
this.Hide();
FormProfile f1 = new FormProfile();
f1.Show();
}
else
{
MessageBox.Show("Incorrect Pass");
}
}
else
{
MessageBox.Show("Incorrect Username");
}
}
reader.Close();
connection.Close();
}
catch (Exception exbtn)
{
MessageBox.Show("Error" + exbtn);
connection.Close();
}
}
After got help from this site I coded it right as below. Get all value from Database record and check if it match with entered Username then check if match with recorded password. IF not then it shows the message box. Now it works fine.
Your code is dangerous.
There are several security issues with it.
The reason your code does not work is quite simple: you try to read a record from the database with the given username and password. If the username or password is incorrect, you do not retrieve any record, so
while(reader.Read())never executes.If you do retrieve a record, it is utterly useless to compare username and password, they will always match because you just read them from the database.
Fix your SQL-injection issue, store password hashes instead of plain text passwords and use a different algorithm to check:
Either try to read a records from your database with the given username and hashed password and return an error if no record is found, or read a record from the database with only the username an check the retrieved password hash.
In either case, simply return a generic error message if anything is wrong. Do not give out information about it being the username or the password that is wrong. Just a simple "incorrect username or password" is enough.