Validate login with PhpMyAdmin

Question

I have a sample form like this:

I have created dbconnect class with select method, it goes like this:

public List<string>[] Select(string username, string password)
{
    string query = "SELECT * FROM ms_user where username = '" + username + 
        "' and password = '" + password + "'";

    //Create a list to store the result
    List<string>[] list = new List<string>[2];
    list[0] = new List<string>();
    list[1] = new List<string>();           

    //Open connection
    if (this.OpenConnection() == true)
    {
        //Create Command
        MySqlCommand cmd = new MySqlCommand(query, connection);
        //Create a data reader and Execute the command
        MySqlDataReader dataReader = cmd.ExecuteReader();

        //Read the data and store them in the list
        while (dataReader.Read())
        {
            list[0].Add(dataReader["username"] + "");
            list[1].Add(dataReader["password"] + "");                    
        }

        //close Data Reader
        dataReader.Close();

        //close Connection
        this.CloseConnection();

        //return list to be displayed
        return list;
    }
    else
    {
        return list;
    }
}

How do I use this method for login? Since the method is returning a list and not true or false to check if the value exists on the database.

are you saying you need to return the list and a true or false? (could use a `out` parameter for that) your code can be improved by the way by moving list outside of the if statement, then you wouldnt need the else — Sayse, Mar 14 '13 at 08:22
Before you start working you should learn something about "how to store passwords" and how to do SQL-Queries, whithout opening exploit vectors. — TGlatzer, Mar 14 '13 at 08:24
@Cignitor Yeah - somebody will hack you that DB like there is no tomorrow with this approach. ;) — nikib3ro, Mar 14 '13 at 08:25
wow thank you sir ! those inputs are awesome, but i'm learning on using mysql with C# :) — Cignitor, Mar 14 '13 at 08:27
@Cignitor I've left you an answer with some links. I don't think that primary thing here is that you get the answer to your problem (since answer would be trivial - return null instead of List if user is not found). Rather I believe that you just need to gain a bit better understanding of "right" way to use SQL within your C# apps. Good luck learning! — nikib3ro, Mar 14 '13 at 08:37

score 1 · Answer 1 · edited May 23 '17 at 11:57

1

Boolean loginSuccessful = Select(username, password).Count > 0;

But please, look into resources on how to store password in database (for instance, this one), and on SQL injection (for example, this one).

edited May 23 '17 at 11:57

Community

1
1

answered Mar 14 '13 at 08:24

Otiel

18,404
16
78
126

score 0 · Answer 2 · answered Mar 14 '13 at 08:22

I'd add a variable inside the reader which increments whenever the user account has been found and matched.

    x int = 0;
    if (this.OpenConnection() == true)
    {
        //Create Command
        MySqlCommand cmd = new MySqlCommand(query, connection);
        //Create a data reader and Execute the command
        MySqlDataReader dataReader = cmd.ExecuteReader();

        //Read the data and store them in the list
        while (dataReader.Read())
        {
            list[0].Add(dataReader["username"] + "");
            list[1].Add(dataReader["password"] + ""); 
            x++;
        }

        //close Data Reader
        dataReader.Close();

        //close Connection
        this.CloseConnection();

        //return list to be displayed
        return x;
    }

then, use a control structure within your application which checks if x > 0. if it is, Log in the user.

it said `cannot implicitly convert type int to System collection Generic list string` — Cignitor, Mar 14 '13 at 08:29

score 0 · Answer 3 · answered Mar 14 '13 at 08:24

Wow, looks like you need to learn to build queries and sql injection.

Also password, hashes, encryption and salt.

Then exceptions.

Then remove the (+ "") that don't fit a typed language, and is poor form in most.

Then == true test is bad style, redundant.

score 0 · Answer 4 · edited May 23 '17 at 12:28

I think that rather than directly answering your question (since it's trivial - you just return null instead of List if user is not found) you would be better off getting some resources to more reading material.

I think you would especially benefit if you read a bit about SQL injection: http://www.unixwiz.net/techtips/sql-injection.html

After that read following tutorial - it's pretty good: http://zetcode.com/db/mysqlcsharptutorial/

Finally, I would recommend that at least until you get some experience under your belt you always stick with MySqlParameter when it comes to passing values into your SQL. Check out this questions on StackOverflow -> Parameterized Query for MySQL with C#

Validate login with PhpMyAdmin

4 Answers4