0

So By Now I've Probably had little experience with Database Programming and just SQL in general, so if what I say is beyond confusing I Apologize. I've been trying to create a login form that accesses my database table and compare what the User has written to the table itself. After tirelessly searching the internet, I can't seem to understand why the Code I've written can't read the Table. here is an example maybe someone can help me understand my issue?

Public Function CompareDbValues(Compare_1 As String)
    Using connection As New SqlConnection("Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\User\OneDrive\Software\WindowsApplication1\WindowsApplication1\Database1.mdf;Integrated Security=True")
        connection.Open()

        Dim sSQL As String = "SELECT UserName, Password FROM [Table] WHERE UserName = 'Me.UserName.Text' AND Password = 'Me.Password.Text'"
        Using Command As New SqlCommand(sSQL, connection)
            Dim Reader As SqlDataReader
            Reader = Command.ExecuteReader()

            If Reader.HasRows Then
                Do While Reader.Read()
                    If Compare_1 = Reader("UserName").ToString Then

                        Return True

                    Else

                        Return False

                    End If
                Loop
            End If


        End Using


        connection.Close()
    End Using

    Return False

End Function

My issue Seems to be when my code hits the "If Reader.HasRows Then" Line. Once again thanks for taking a look.

Improve this question
2
  • Incidentally, you might want to get into the habit of keeping passwords secure, e.g.: Salted Password Hashing - Doing it Right. Commented Aug 27, 2015 at 8:46
  • Thanks i'll Take a Look at it Commented Aug 27, 2015 at 9:42

2 Answers 2

Reset to default
2

First, Your sql is sent to the database like this:

SELECT UserName, Password 
FROM [Table] 
WHERE UserName = 'Me.UserName.Text' AND Password = 'Me.Password.Text'

Since I Assume no user will select Me.UserName.Text as a user name and Me.Password.Text as a password, I think no one will ever pass this login.

Second, if you are thinking of fixing this by concatenating the textboxes texts to the sql string, think again. This is a major security hazard. Read about Sql injection attacks.

The proper way is to use parameterized queries or stored procedures.

Dim sSQL As String = "SELECT 1 " & _
                     "FROM [Table] " & _
                     "WHERE UserName = @UserName " & _
                     "AND Password = @PassWord " & _
                     "AND @UserName = @Compare"
    Using Command As New SqlCommand(sSQL, connection)
        Command.Parameters.Add("@UserName", SqlDbType.VarChar).Value = Me.UserName.Text
        Command.Parameters.Add("@Password", SqlDbType.VarChar).Value = Me.Password.Text
        Command.Parameters.Add("@Compare", SqlDbType.VarChar).Value = Compare1
        Dim Reader As SqlDataReader = Command.ExecuteReader()
        Return Reader.HasRows
    End Using

Note that the where clause already compared the values for you, so all you have to do is just see if any rows are returned by the query.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for bringing this to my attention i'll read up on it so i can Fully understand what you have done, also thanks for clearing up my issue with my Query as well
0

This is your problem here:

Dim sSQL As String = "SELECT UserName, Password FROM [Table] WHERE UserName = 'Me.UserName.Text' AND Password = 'Me.Password.Text'"

You're telling the database to compare the values in the database to the literal text "Me.UserName.Text" and "Me.Password.Text". Nowhere are you actually getting the text the user has entered and sending it to the database. Note how, in the code you posted, those parts are red? That means they are part of the literal String. If you were using variables then they would not be red. This is what you actually meant to do:

Dim sSQL As String = "SELECT UserName, Password FROM [Table] WHERE UserName = '" & Me.UserName.Text & "' AND Password = '" & Me.Password.Text & "'"

That is now using variables and getting data from them and concatenating that data into the literal String.

That's still not very good code though. I won't go into it here because it goes beyond the scope of your original question but you should learn how to use parameterised queries, which protect you against various issues and, most importantly, SQL injection attacks.

Improve this answer

4 Comments

Though are answers are basically the same, Why show the wrong way of doing it instead of the right way?
Ah ok that makes sense i'll amend that immediately and let you know if it works.
@ZoharPeled, because I have answered the question as asked, i.e. why the code, as it was written, was not working. It's possible that this is a school assignment for which using a parameterised query would be overkill and possibly considered wrong because it was using material not yet taught.
Yeah its not a school assignment however its a personal project but i might also i 'm in my last year of high school this year so parameterised query was a little beyond me at the moment, but i appreciate both your responses regardless you both brought to light something i did not know.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.