Sol Sol - 5 months ago 21
SQL Question

How can you give an error code for a username and password in a C# Xaml form with MySql if they don't match your database?

I have been able to connect to my database, but when I try to create an error by writing in the wrong username or password nothing pops up(for example "Wrong Password Entered"). Also, I have tried to prepare statements for the user text boxes with the @username, but I am not sure if this really stops SQL injection with C#.

//XAml
<TextBox x:Name="textUser" HorizontalAlignment="Left" Height="23" Margin="201,103,0,0" TextWrapping="Wrap" Text="" VerticalAlignment="Top" Width="120"/>
<PasswordBox x:Name="txt_passwordBox" Margin="201,152,196,0" VerticalAlignment="Top" Height="23" KeyDown="txt_passwordBox_KeyDown" PasswordChar="$"/>


//C# code

using MySql.Data.MySqlClient;

//click login button
private void button_Click(object sender, RoutedEventArgs e)
{



if (textUser.Text != "" & txt_passwordBox.Password != "")
{
server = "54.12.23.11";
database = "databasetest";
uid = "username";
password = "password";
string connectionString;
connectionString = "server=" + server + ";" + "user=" + uid+ ";" + "database=" + database + ";port=3306;" + "password=" + password + ";";
MySqlConnection conn = new MySqlConnection(connectionString);
try
{

conn.Open();//connect to mysql

string sql = "SELECT user, pass FROM users WHERE user=@username and pass=@password";
MySqlCommand cmd = new MySqlCommand(sql, conn);

string username1 = textUser.Text;
string password1 = txt_passwordBox.Password;

cmd.Parameters.AddWithValue("@username", username1);
cmd.Parameters.AddWithValue("@password", password1);

MySqlDataReader rdr = cmd.ExecuteReader();

while (rdr.Read())
{



if (Convert.ToString(rdr["password"]) != password1)
{
MessageBox.Show("Wrong password");
}
else if (Convert.ToString(rdr["username"]) != username1)
{

MessageBox.Show("Wrong Username");
}
else if ((Convert.ToString(rdr["username"]) != username1) && (Convert.ToString(rdr["password"]) != password1))
{

MessageBox.Show("Wrong Username or Password");
}
else
{
//textError.Text = (rdr["username"] + " --- " + rdr["password"]);
loggedinwindowpumpkin window = new loggedinwindowpumpkin();
this.Close();
window.ShowDialog();
// }
}
rdr.Close();
}
}
catch (Exception)
{
MessageBox.Show("Error Connecting.... Check Network Settings, Close and try again");
// MessageBox.Show(ex.ToString());
}
finally
{
//MessageBox.Show("Wrong User or Password");
}

conn.Close();
//MessageBox.Show("Connected to Database.");
}
}//end button_Click

Answer

As already stated in my Comment, you're getting no results back.

This should do the trick:

using (var conn = new MySqlConnection(connectionString))
            {
                try
                {
                    conn.Open();//connect to mysql

                    string sql = "SELECT user, pass FROM users WHERE user=@username and pass=@password";
                    using (var cmd = new MySqlCommand(sql, conn))
                    {

                        string username1 = textUser.Text;
                        string password1 = txt_passwordBox.Password;

                        cmd.Parameters.AddWithValue("@username", username1);
                        cmd.Parameters.AddWithValue("@password", password1);

                        using (var rdr = cmd.ExecuteReader())
                        {
                            if (!rdr.HasRows)
                            {
                                MessageBox.Show("Wrong Username or Password");
                                return;
                            }
                            while (rdr.Read())
                            {

                                if (Convert.ToString(rdr["password"]) != password1)
                                {
                                    MessageBox.Show("Wrong password");
                                }
                                else if (Convert.ToString(rdr["username"]) != username1)
                                {

                                    MessageBox.Show("Wrong Username");
                                }
                                else if ((Convert.ToString(rdr["username"]) != username1) && (Convert.ToString(rdr["password"]) != password1))
                                {

                                    MessageBox.Show("Wrong Username or Password");
                                }
                                else
                                {
                                    //textError.Text = (rdr["username"] + " --- " + rdr["password"]);
                                    loggedinwindowpumpkin window = new loggedinwindowpumpkin();
                                    this.Close();
                                    window.ShowDialog();
                                    // }
                                }
                            }
                        }
                    }
                }
                catch (Exception)
                {
                    MessageBox.Show("Error Connecting.... Check Network Settings, Close and try again");
                    // MessageBox.Show(ex.ToString());
                }
                finally
                {
                    //MessageBox.Show("Wrong User or Password");
                }
            }