Login form doesn't accept variable characters

Question

Initially I set both columns, username and pass, in my database(SQL Server 2012) as int in the employeeinfo table. When I entered the correct credentials, I was able to log in successfully.

However, when I changed both both columns, username and pass, to varchar(50) and entered the correct credentials, I get a message indicating username and password were incorrect.

Any idea why? Code posted below.

private void loginbutton_Click(object sender, RoutedEventArgs e)
{
    SqlConnection con = new SqlConnection(ConString);
    try
    {
        con.Open();
        string query = "select * from employeeinfo where username='" +
            this.txt_username.Text + "' and pass=' " + 
            this.txt_password.Password +"' ";
        SqlCommand cmd = new SqlCommand(query, con);

        cmd.ExecuteNonQuery();
        SqlDataReader dr =  cmd.ExecuteReader();

        int count = 0;
        while (dr.Read())
        {
            count++;
        }
        if (count == 1)
        {
            MessageBox.Show("Open Sesame!");
            second sec = new second();
            sec.ShowDialog();
        }
        if (count > 1)
        {
            MessageBox.Show("Note to developer: Enforce unique constraints!");
        }
        if (count < 1)
        {
            MessageBox.Show("Username and password is not correct. Please try again!");
        }

    }
    catch (Exception ex)
    {

        MessageBox.Show(ex.Message);
    }
}

Side note, never store passwords in plaintext in a database.. also, why are you calling executenonquery? — Dan Drews, Feb 24 '14 at 23:55
Side note about your code and SQL parameters. Read about SQL injection http://stackoverflow.com/questions/541620/sql-injection-in-net — Hardrada, Feb 24 '14 at 23:57

score 2 · Answer 1 · answered Feb 25 '14 at 00:01

Try use parameters :

        cmd.CommandText = "select * from employeeinfo where username=@username and pass=@pass ";
        cmd.Parameters.Add("@username", SqlDbType.VarChar);
        cmd.Parameters["@username"].Value = this.txt_username.Text;
        cmd.Parameters.Add("@pass", SqlDbType.VarChar);
        cmd.Parameters["@pass"].Value = this.txt_password.Password;
        SqlDataReader sdr = cmd.ExecuteReader();

Blue Ice · Answer 2 · 2014-02-25T00:09:17.720

1

In this line you have an extra space after pass=':

string query = "select * from employeeinfo where username='"
   + this.txt_username.Text + "' and pass=' " + this.txt_password.Password +"' ";

Here is the fixed line.

string query = "select * from employeeinfo where username='"
   + this.txt_username.Text + "' and pass='" + this.txt_password.Password + "' ";

It wouldn't hurt to store your passwords more securely (hashed, not plaintext) and learn a bit about SQL injection, though. :)

edited Feb 25 '14 at 00:09

answered Feb 24 '14 at 23:59

Blue Ice

7,888
6
32
52

"store passwords ... encrypted"?? Or you mean "hashed"? (Side note: please try to format sample code without horizontal scroll if you decide to edit the post). – Alexei Levenkov Feb 25 '14 at 00:05
OMG I'm such a noob! Thanks. – Rich Feb 25 '14 at 00:51

Login form doesn't accept variable characters

2 Answers2