0

(very new to coding - am a beginner sorry if this doesn't make sense) I'm trying to make a log in page for my client booking system. I'm having an issue where any username/password combination is accepted. One thing I do know is that I need to implement SQL parameters (to prevent injection) but not sure how. Here is my code attached. I want the outcome of this code to be that when the login button is pressed, the program checks the inputs against a database and then allows a log in - to the main menu, or a message box to appear telling the user to try again.

private void LogInButton_Click(object sender, EventArgs e)
{
    SqlConnection sqlcon = new SqlConnection(@"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\user\Documents\LoginDB.mdf;Integrated Security=True;Connect Timeout=30");
    sqlcon.Open();            
    SqlDataAdapter sda = new SqlDataAdapter("Select count(*) from Login Where username ='" + username.Text.Trim() + "' and password ='" + password.Text.Trim() + "'", sqlcon);
    DataTable dt = new DataTable();
    sda.Fill(dt);
    sqlcon.Close();
    if (dt.Rows.Count == 1)
    {
        frmMainMenu objFrmMainMenu = new frmMainMenu();
        this.Hide();
        objFrmMainMenu.Show();

    }
    else
    {
        MessageBox.Show("Invalid User Credentials. Try again !");
    }

}

And here is the table info and set up

[table columns][table data]1

table datum

any advice is appreciated - please let me know if more information is needed.

Saadi
  • 2,211
  • 4
  • 21
  • 50
eren230
  • 1
  • 3
  • Possible duplicate of [How do I re-write a SQL query as a parameterized query?](https://stackoverflow.com/questions/25820944/how-do-i-re-write-a-sql-query-as-a-parameterized-query) – Dan Wilson May 01 '18 at 13:46
  • Are you just trying to replace username and Password with SQL Command Parameters? – Anthony Liriano May 01 '18 at 13:47
  • Passwords wont be stored as plain text later on, I've just started the project, and will try to work on that later. – eren230 May 01 '18 at 15:02

0 Answers0