database connection - SQL Server Forums

Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

All Forums

Development Tools

Other Development Tools

database connection

Author

Topic

unleashed-my-freedom
Starting Member

5 Posts

Posted - 2011-10-15 : 20:55:58

string username = TextBox1.Text;
string password = TextBox2.Text;
OleDbConnection connection = null;
OleDbCommand command = null;
OleDbDataReader dataReader = null;
try
{
string connectionString = ConfigurationManager.ConnectionStrings["ChatDBConnectionString"].ConnectionString;
connection = new OleDbConnection(connectionString);
connection.Open();
//prepare sql statements
string sql = "SELECT * from Staff where username='" + username + "'And Password='" + password + "'";
command = new OleDbCommand(sql, connection);
dataReader = command.ExecuteReader();

while (dataReader.Read())
{

username = dataReader.GetString(3);
Session.Add("username", username);

}
dataReader.Close();
}
catch (Exception ex)
{
Response.Write(ex.Message);
}
//cleanup object
finally
{
if (connection != null)
connection.Close();
}

How do I change OLEdb to SQL connection?

judy

GilaMonster
Master Smack Fu Yak Hacker

4507 Posts

Posted - 2011-10-15 : 21:36:51

Assuming this is .Ney, look at the SQLDataClient class.

--
Gail Shaw
SQL Server MVP

unleashed-my-freedom
Starting Member

5 Posts

Posted - 2011-10-16 : 00:27:16

what do you mean?

judy

visakh16
Very Important crosS Applying yaK Herder

52326 Posts

Posted - 2011-10-16 : 00:31:00

you mean this?

http://searchsqlserver.techtarget.com/feature/Creating-basic-ADONET-data-objects-with-SqlClient

------------------------------------------------------------------------------------------------------
SQL Server MVP
http://visakhm.blogspot.com/

GilaMonster
Master Smack Fu Yak Hacker

4507 Posts

Posted - 2011-10-16 : 01:25:41

quote:
Originally posted by unleashed-my-freedom

what do you mean?

I mean 'open up the documentation, browse to the section on the SQLDataClient class and read up on that class'.

--
Gail Shaw
SQL Server MVP

unleashed-my-freedom
Starting Member

5 Posts

Posted - 2011-10-16 : 02:05:21

string username = TextBox1.Text;
string password = TextBox2.Text;
SqlConnection connection = null;
SqlCommand command = null;
SqlDataReader dataReader = null;
try
{
string connectionString = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
connection = new SqlConnection(connectionString);
connection.Open();
//prepare sql statements
string sql = "SELECT * from Staff where username='" + username + "'And Password='" + password + "'";
command = new SqlCommand(sql, connection);
dataReader = command.ExecuteReader();

while (dataReader.Read())
{

username = dataReader.GetString(3);
Session.Add("username", username);

}
dataReader.Close();
}
catch (Exception ex)
{
Response.Write(ex.Message);
}
//cleanup object
finally
{
if (connection != null)
connection.Close();
}
Response.Redirect("./default.aspx");
}

I had tried changing from OLEdb to SQL. May I know if it is correct?

judy

GilaMonster
Master Smack Fu Yak Hacker

4507 Posts

Posted - 2011-10-16 : 02:23:37

Did you try it? Did it throw errors? Did you consult the documentation?

--
Gail Shaw
SQL Server MVP

unleashed-my-freedom
Starting Member

5 Posts

Posted - 2011-10-16 : 02:39:27

Actually I had created a registration page for users to sign up an account and a database to store all the information such as username and password. I had also created a login page for users to login after creating an account. How do I link the database between these two pages?

judy

GilaMonster
Master Smack Fu Yak Hacker

4507 Posts

Posted - 2011-10-16 : 02:49:14

I just noticed something:

quote:
string sql = "SELECT * from Staff where username='" + username + "'And Password='" + password + "'";

This is an open invitation to SQL injection. You're asking to be hacked and hacked badly. That should be a stored procedure call and should be correctly parameterised. If it can't be a procedure, it should still be parameterised.

--
Gail Shaw
SQL Server MVP

unleashed-my-freedom
Starting Member

5 Posts

Posted - 2011-10-16 : 03:05:47

What should I do to prevent it? I'm trying to logged in as a registered user but even the password is wrong, users are still able to logged in. How do I solve this error?

judy

afrika
Master Smack Fu Yak Hacker

2706 Posts

Posted - 2011-10-23 : 04:51:56

well like gilamonster said, your code is very wrong ( bad practice ) to put the sql string like that.

I would advice you to either use LINQ, entity framework or a stored proceedure. See my post here

http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=166467

jassi.singh
Posting Yak Master

122 Posts

Posted - 2011-10-23 : 05:19:54

definetly you have codded incorrectly, please post your code written on login click button.

Please mark answer as accepted if it helped you.

Thanks,
Jassi Singh

afrika
Master Smack Fu Yak Hacker

2706 Posts

Posted - 2011-10-23 : 13:26:21

quote:
Originally posted by jassi.singh

definetly you have codded incorrectly, please post your code written on login click button.

Please mark answer as accepted if it helped you.

Thanks,
Jassi Singh

How do you mark as answer ? lol

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources