0

I am developing a Windows Form application using vb.net in VS10 with user management. I am using following code when a user tries to login: 

Try     
        Dim sel As String
        sel = "SELECT uid, name, loginid, password, type FROM user_master WHERE loginid = '" & UsernameTextBox.Text & "' AND password = '" & PasswordTextBox.Text & "'"
        Dim cnn As New SqlConnection("Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\RSMS_DB.mdf;Integrated Security=True;User Instance=True")
        Dim da As New SqlDataAdapter(sel, cnn)
        Dim ds As New DataSet()
        da.Fill(ds)
        If ds.Tables(0).Rows.Count = 0 Then
            MsgBox("Wrong Username and Password Combination!", MsgBoxStyle.Critical, "Login Failed")
        Else
            current_uid = ds.Tables(0).Rows(0)(0)
            current_name = ds.Tables(0).Rows(0)(1)
            current_loginid = ds.Tables(0).Rows(0)(2)
            current_password = ds.Tables(0).Rows(0)(3)
            current_type = ds.Tables(0).Rows(0)(4)
            MsgBox("Welcome '" & ds.Tables(0).Rows(0)(1) & "'!", MsgBoxStyle.OkOnly, "Login Successful")
            Dim upd = "UPDATE user_master SET lastlogin = '" & System.DateTime.Now.ToString("yyyy/MM/dd HH:mm:ss") & "' WHERE uid = " & current_uid & ""
            Dim cmd As New SqlCommand(upd, cnn)
            cnn.Open()
            cmd.ExecuteNonQuery()
            If checkboxLoginState.Checked = True Then
                cmd.CommandText = "INSERT INTO login_state VALUES('" & current_uid & "', '" & current_name & "', '" & current_loginid & "', '" & current_password & "', '" & current_type & "')"
                cmd.ExecuteNonQuery()
            End If
            cnn.Close()
            load_user_permissions(current_uid) 'DISABLING OPTIONS ACCORDING TO USER RIGHTS 
            Me.Close()
        End If
    Catch ex As Exception
        MsgBox(ex.Message, MsgBoxStyle.Critical, "Database Error")
    End Try

All I want to ask is if it is the right method? Is the SELECT Query case sensitive by default?

Pratik Bhavsar
  • 1
  • 6
  • Unless this is a "toy" project, you're going down some very bad routes here. You ought to read up on SQL Injection and Parameters. Then read up on password leaks and why you don't store passwords as plain text. – Damien_The_Unbeliever Mar 02 '18 at 11:19
  • As far as i am aware no keywords in SQL are case sensitive, but I like it when SQL keywords are uppercase :) – Sasha Mar 02 '18 at 11:26

1 Answers1

0

The SQL Keywords are case-insensitive (SELECT, FROM, WHERE, etc), but are often written in all caps. However in some setups table and column names are case-sensitive. Usually case-sensitive table and column names are the default. If you want to change it then you can change it in a function of the database's collation settings.

Source - And this could also be helpful for you.

If security is important to you then you should hash the passwords - do not save passwords as plain text! You should check out the library libsodium

Marco Sadowski
  • 436
  • 9
  • 19