0

I'm trying to do a Login code in C# with MySQL. Basically the user enters a username and password then the code checks the database if the the password is correct. I'm having trouble getting the code to read from the data base... Here is where I'm at.

public string strUsername;
public string strPassword;


//Connect to DataBase
MySQLServer.Open();

//Check Login
MySqlDataReader mySQLReader = null;
MySqlCommand mySQLCommand = MySQLServer.CreateCommand();
mySQLCommand.CommandText = ("SELECT * FROM user_accounts WHERE username =" +strUsername);
mySQLReader = mySQLCommand.ExecuteReader();
while (mySQLReader.Read())
{
  string TruePass = mySQLReader.GetString(1);
  if (strPassword == TruePass)
  {
    blnCorrect = true;
    //Get Player Data
  }
}

MySQLServer.Close();

From what I've done in the past, I thought this would work but if I print it, it Seems like its not being read. I am still fairly new to MySQL so any help would be Great.

Improve this question
2
  • 1
    What does the debugger tell you? Commented Dec 6, 2011 at 6:36
  • Look here: xkcd.com/327 Commented Dec 6, 2011 at 11:15

2 Answers 2

Reset to default
3

Non-numeric field value must be enclosed with single quote.

mySQLCommand.CommandText = "SELECT * FROM user_accounts WHERE username ='" +strUsername + "'";
mySQLCommand.Connection=MySQLServer;

but you have to use Parameters to prevent SQL Injection.

 mySQLCommand.CommandText = "SELECT * FROM user_accounts WHERE username =@username"; 
 mySQLCommand.Connection=MySQLServer;
 mySQLCommand.Parameters.AddWithValue("@username",strUsername);
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Should also advise OP to not hard-code ordinal position of password in GetString(1) unless select statement specifies such.
Thank you ill give it a try. I'll let you know if i have anymore problems.
-2 
        string con_string = @"Data Source=.\SQLEXPRESS;AttachDbFilename=C:\Database.mdf;Integrated Security=True;User Instance=True";
        string query = "SELECT * FROM Users WHERE UseName='" + txtUserName.Text.ToString() + "' AND Password='" + txtPassword.Text + "'";
        SqlConnection Con = new SqlConnection(con_string);
        SqlCommand Com = new SqlCommand(query, Con);
        Con.Open();
        SqlDataReader Reader;
        Reader = Com.ExecuteReader();

        if (Reader.Read())
        {
            lblStatus.Text="Successfully Login";
        }
        else
        {
           lblStatus.Text="UserName or Password error";
        }
        Con.Close();

As AVD said you should use parameters to prevent sql injection....

Improve this answer

2 Comments

show how to use parameters is you say the OP should do it. Ans why compare strings on the DB is stead of in code.
where i have said that it will prevent from sql injection. I have just shown how to validate login...read my last line...

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.