[ACCEPTED]-How can I get a username and password from my database in C#?-sql-injection
In general, when accessing your DB, you 2 should be using something similar to this 1 instead to eliminate SQL injection vulnerabilities:
using (SqlCommand myCommand = new SqlCommand("SELECT * FROM USERS WHERE USERNAME=@username AND PASSWORD=HASHBYTES('SHA1', @password)", myConnection))
{
myCommand.Parameters.AddWithValue("@username", user);
myCommand.Parameters.AddWithValue("@password", pass);
myConnection.Open();
SqlDataReader myReader = myCommand.ExecuteReader())
...................
}
But more realistically to store credentials, you should be using something like the Membership system instead of rolling your own.
You're running a huge risk of sql injection with that. Use SQL Parameters for values into SqlCommands.
0
If you mean c# variables, and if you want 3 to get them from db, just do this:
SqlDataReader reader = cmd.execute Reader();
if (reader.Read())
{
string username = reader["username"];
string pwd = reader["password"];
}
While 2 you are at it, parameterize your query and 1 prevent sql injection:
SqlCommand cmd = new Sqlcommand("select * from login where username=@username and pwd=@pwd", con);
cmd.Parameters.AddWithValue("@username", txt4name.Text);
cmd.Parameters.AddWithValue("@pwd", txt4pwd.Text);
Definitely heed the advice about SQL injection 1 but here is the answer to your question:
String username;
String pwd;
int columnIndex = reader.GetOrdinal("username");
if (!dataReader.IsDBNull(columnIndex))
{
username = dataReader.GetString(columnIndex);
}
columnIndex = reader.GetOrdinal("pwd");
if (!dataReader.IsDBNull(columnIndex))
{
pwd = dataReader.GetString(columnIndex);
}
string userName = txt4name.Text;
string password = txt4pwd.Text;
Is that really what you want? Just to get 1 that data into variables?
You really need to use parameterized SQL. There's an example here Furthermore, your 6 question doesn't really make sense; you 5 want the username and password in seperate 4 variables? they already are seperate in 3 your example. If you are unable to assign 2 them to strings I suggest following some 1 tutorials.
Another approach is to load the reader results 6 into a DataTable like so:
DataTable Result = new DataTable();
Result.Load(reader);
If your login table 5 only contains two columns (userName and 4 password) that are unique you end up with 3 Result containing only one row with the 2 information. You can then get the column 1 values from each column:
string userName = Result.Rows[0].Field<string>("userName");
string password = Result.Rows[0].Field<string>("pwd");
private void but_login_Click(object sender, EventArgs e)
{
string cn = "Data Source=.;Initial Catalog=mvrdatabase;Integrated Security=True";
SqlConnection con = new SqlConnection(cn);
con.Open();
SqlCommand cmd = new SqlCommand("select count (*) from logintable where username ='" + txt_uname.Text + "'and password='" + txt_pass.Text + "'", con);
int i = Convert.ToInt32(cmd.ExecuteScalar());
con.Close();
if (i == 1)
{
Form2 f2 = new Form2();
MessageBox.Show("User login successfully........");
this.Hide();
f2.Show();
}
else
{
MessageBox.Show("INCORRECT USERID AND PASSWORD", "Error");
}
}
0
More Related questions
We use cookies to improve the performance of the site. By staying on our site, you agree to the terms of use of cookies.