Sarah Proctor Sarah Proctor - 1 month ago 9
Vb.net Question

Login problems with Access and VB.net

I am trying to connect to my database and check the username and login with the database and it keeps failing the login. Any idea what's going wrong?

Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
If TextBox1.Text = "" Or TextBox2.Text = "" Then
MsgBox("You must enter all information.", MsgBoxStyle.OkOnly, "Error")
Else
Dim uname As String = TextBox1.Text
Dim pword As String = TextBox2.Text
Access.ExecQuery("SELECT Password FROM LoginDB WHERE Username= " & uname & "AND Password= " & pword & ";")
'Try
'Access.ExecQuery("SELECT Password FROM LoginDB WHERE Username= " & uname & "AND Password= " & pword & ";")
'Catch ex As Exception
'MsgBox("Username does not exist.")
'End Try
If (pword = pass) Then
My.Forms.StableMe1.Show()
Me.Close()
Else
MsgBox("Login Failed")
TextBox1.Clear()
TextBox2.Clear()
End If
End If
End Sub


The database is working in other parts of the code, so I know it's connecting, I just can't seem to find the problem.

Answer

There are a few problems I see here, some of which have been mentioned in the comments. You are currently not handling the return of your query, password is being used when it's a reserved word, and the query itself could be tweaked a bit to use parameters and check if the username+password combination exists instead of returning the password. That said, I would say what you need is something similar to the following example. Note that this won't just copy and paste, you will need to fill in your database connection string.

'Imports System.Data.SqlClient

Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
    If TextBox1.Text = "" Or TextBox2.Text = "" Then
        MsgBox("You must enter all information.", MsgBoxStyle.OkOnly, "Error")
    Else
        Dim con As New SqlConnection("your db connection string")
        Dim exists As String = Nothing
        con.Open()
        Using cmd As New SqlCommand("SELECT 'X' FROM [LoginDB] WHERE [Username] = @un AND [Password] = @pw", con)
            With cmd
                .Parameters.AddWithValue("@un", TextBox1.Text)
                .Parameters.AddWithValue("@pw", TextBox2.Text)
                Try
                    exists = .ExecuteScalar.ToString
                Catch ex As Exception
                    MsgBox(ex.ToString)
                End Try
            End With
        End Using
        con.Close()

        If exists IsNot Nothing AndAlso exists.Equals("X") Then
            My.Forms.StableMe1.Show()
            Me.Close()
        Else
            MsgBox("Login Failed")
            TextBox1.Clear()
            TextBox2.Clear()
        End If
    End If
End Sub

So what this code is doing is connecting to the database, and then querying to simply return a character (just an easy way to check if a record exists when we aren't actually looking to return any row data) if the username+password pair is found in the database. It adds the username and password that the user has entered as parameters so you don't have to worry about spacing or quotes, and also inherently prevents sql injection. Then we just add the parameters, and executescalar which will just return a single value (sqldatareader is unnecessary in this case). Then I just checked if the value is what I'm expecting. Also, just a sidenote, it's not a good idea to store passwords in plaintext...but that's another topic. Hope this helps