Resolved sql fill not working

[rwahdan2023]

Hi,

I am trying to run this code but getting error.

code:

try
{
    SqlConnection conn =
    new SqlConnection("Data Source = .; " +
    "Initial Catalog = users; Persist Security Info = True; " +
    "User ID = sa; Password = ***********");

    SqlCommand cmd = new SqlCommand("select * from users");
    cmd.Connection = conn;
    cmd.Parameters.AddWithValue("@username", txtuser.Text);
    cmd.Parameters.AddWithValue("@password", txtpass.Text);

    SqlDataAdapter da = new SqlDataAdapter(cmd);
    DataTable dt = new DataTable();
    da.Fill(dt);

    if (dt.Rows.Count > 0)
    {
        MessageBox.Show("Success!");
    }
    else
    {
        MessageBox.Show("Not Success!");
    }
}
catch (Exception ex)
{
    MessageBox.Show(ex.Message);
}

the error:
I am always getting success even if the user or password is incorrect

 

[rwahdan2023]

I found the solution to add parameters to sql and assign them to values. Thank you all.

SqlCommand cmd = new SqlCommand("select username, password " +
    "from Users where username = @username AND " +
    "password = @password", conn);

cmd.Parameters.AddWithValue("@username", txtuser.Text);
cmd.Parameters.AddWithValue("@password", txtpass.Text);

 

[Skydiver]

Well done!

Now the next problem you need to solve is to that it is a very bad security idea save passwords in the database in plain text. Saving it as encrypted is slightly better, but is still a security risk. The best practice in terms of security is to save hashed versions of the password.

 

[rwahdan2023]

Well done!

Now the next problem you need to solve is to that it is a very bad security idea save passwords in the database in plain text. Saving it as encrypted is slightly better, but is still a security risk. The best practice in terms of security is to save hashed versions of the password.

Thnaks alot @Skydiver and I will look into this.

 

[jmcilhinney]

I would also suggest not using AddWithValue when adding parameters. It will work in most situations but the data type for the parameter is inferred from the value and sometimes the system may not infer the correct type and that can have negative effects. If you always use Add then you never have to wonder whether you can safely use AddWithValue or not.

cmd.Parameters.Add("@username", SqlDbType.VarChar, 50).Value = txtuser.Text;

 

[cjard]

I would also suggest not using AddWithValue when adding parameters.

True for SqlServer, not necessarily true for other DBMS, and definitely not something to worry about with MySQL

 

[cjard]

I am always getting success even if the user or password is incorrect

Careful how you phrase your posts. At first I thought you were talking about the username and password in the sql server connection string

By the way, the world has moved on in terms of authing users. Having some table you maintain yourself and "select * from users" is decades old. Now we keep users in some system dedicated to auth and it is a well solved problem that third party and built in functionality has been doing for years. Look at Auth0, Active Directory, ASPNET identity management etc etc