patterncsharpMajor
Login form C# SQL
Viewed 0 times
sqlformlogin
Problem
Basically this is my first login form.
I am using SQL and C# WinForms.
I made user roles such as "Admin" and others and the user is taken to a specific WinForms, according to his appointed role (appointed by me manually now).
I have also allowed users to create their new accounts, in which they pick their user name and password but the role still needs to be appointed by me.
I'd like to know if what I've done is ok or if it needs improvement, and where.
```
namespace My_PROGRAM
{
public partial class Login : Form
{
SqlConnection loginCon = new SqlConnection("Data Source=;Initial Catalog=;Persist Security Info=True;User ID=;Password=****");
public Login()
{
InitializeComponent();
}
private void btnLogin_Click(object sender, EventArgs e)
{
loginCon.Open();
SqlDataAdapter loginAdapter = new SqlDataAdapter("SELECT [Role] FROM [dbo].[LOGIN_Tab] WHERE Name ='"+ userNameTextobx.Text +"' and Password='"+ userPasswordTextbox.Text +"' ", loginCon);
DataTable result = new DataTable();
loginAdapter.Fill(result);
try
{
if (result.Rows.Count == 1)
{
switch(result.Rows[0]["Role"] as string)
{
case "Admin":
{
this.Hide();
AdminMenu aMenu = new AdminMenu();
MessageBox.Show("Login was succesful. Welcome back " + userNameTextobx.Text + " !!");
aMenu.Show();
break;
}
case "Planner":
{
this.Hide();
PlannerMenu pMenu = new PlannerMenu();
MessageBox.Show("Login was succesfu
I am using SQL and C# WinForms.
I made user roles such as "Admin" and others and the user is taken to a specific WinForms, according to his appointed role (appointed by me manually now).
I have also allowed users to create their new accounts, in which they pick their user name and password but the role still needs to be appointed by me.
I'd like to know if what I've done is ok or if it needs improvement, and where.
```
namespace My_PROGRAM
{
public partial class Login : Form
{
SqlConnection loginCon = new SqlConnection("Data Source=;Initial Catalog=;Persist Security Info=True;User ID=;Password=****");
public Login()
{
InitializeComponent();
}
private void btnLogin_Click(object sender, EventArgs e)
{
loginCon.Open();
SqlDataAdapter loginAdapter = new SqlDataAdapter("SELECT [Role] FROM [dbo].[LOGIN_Tab] WHERE Name ='"+ userNameTextobx.Text +"' and Password='"+ userPasswordTextbox.Text +"' ", loginCon);
DataTable result = new DataTable();
loginAdapter.Fill(result);
try
{
if (result.Rows.Count == 1)
{
switch(result.Rows[0]["Role"] as string)
{
case "Admin":
{
this.Hide();
AdminMenu aMenu = new AdminMenu();
MessageBox.Show("Login was succesful. Welcome back " + userNameTextobx.Text + " !!");
aMenu.Show();
break;
}
case "Planner":
{
this.Hide();
PlannerMenu pMenu = new PlannerMenu();
MessageBox.Show("Login was succesfu
Solution
SQL Injection alarm
Don't use user passed text in your sql statements if you aren't using parameters.
From: https://stackoverflow.com/a/7505842/2655508
Using parameters helps prevent SQL Injection attacks when the database is used in conjunction with a program interface such as a desktop program or web site.
In your example, a user can directly run SQL code on your database by
crafting statements in txtSalary.
For example, if they were to write 0 OR 1=1, the executed SQL would be
SELECT empSalary from employee where salary = 0 or 1=1
whereby all empSalaries would be returned.
Further, a user could perform far worse commands against your
database, including deleting it If they wrote 0; Drop Table employee:
SELECT empSalary from employee where salary = 0; Drop Table employee
The table employee would then be deleted.
Don't use user passed text in your sql statements if you aren't using parameters.
From: https://stackoverflow.com/a/7505842/2655508
Using parameters helps prevent SQL Injection attacks when the database is used in conjunction with a program interface such as a desktop program or web site.
In your example, a user can directly run SQL code on your database by
crafting statements in txtSalary.
For example, if they were to write 0 OR 1=1, the executed SQL would be
SELECT empSalary from employee where salary = 0 or 1=1
whereby all empSalaries would be returned.
Further, a user could perform far worse commands against your
database, including deleting it If they wrote 0; Drop Table employee:
SELECT empSalary from employee where salary = 0; Drop Table employee
The table employee would then be deleted.
Context
StackExchange Code Review Q#158031, answer score: 33
Revisions (0)
No revisions yet.