Home/ Questions/Q 8723207
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T07:34:39+00:00

I am using: string selectString = SELECT username, password + FROM users + WHERE

  • 0

I am using:

                string selectString =
                "SELECT username, password " +
                "FROM users " +
                "WHERE username = '" + user + "' AND password = '" + password + "'";

                MySqlCommand mySqlCommand = new MySqlCommand(selectString, Program.mySqlConnection);
                Program.mySqlConnection.Open();
                String strResult = String.Empty;
                strResult = (String)mySqlCommand.ExecuteScalar();
                Program.mySqlConnection.Close();
                if (strResult.Length == 0)
                {
                    responseString = "invalid";
                    InvalidLogin = true;
                } else {
                    InvalidLogin = false;
                }

and at strResult.Length I get a NullReferenceException for some reason.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is how your code should look like:

    using(var connection = new MySQLConnection(connectionString))
{
    using(var command = connection.CreateCommand())
    {
        command.CommandText = @"
SELECT COUNT(*) 
FROM users
WHERE username = @user AND password = @password";
        command.Parameters.Add(new MySQLParameter("user", user));
        command.Parameters.Add(new MySQLParameter("password", password));

        var total = (int)command.ExecuteScalar();
        if(total == 0)
            InvalidLogin = true;
        else
            InvalidLogin = false;
    }
}

    There are few things to notice

    • NEVER build your query string in that way you did it. Search on Google for “sql
      injection” to find more about what could happen to you. ALWAYS use
      parameters. I know, you wrote that this is console app, but good habits are important.
    • ALWAYS use using keyword when working with database
      connections and commands.
    • From your code, I have a feeling that you have global MySQLConnection object, right? NEVER do that! ADO.NET uses connection pooling, so opening new connection for your actions is not expensive operation. Make sure that you didn’t disable connection pooling in your connection string.
    • Not related to ADO.NET, but important: you should hash your password.

    To answer your question, the problem is in ExecuteScalar that you are using. It returns scalar variable (single value)…in your query, you are returning username and password, so you should use ExecuteReader instead…but I think that COUNT(*) in the query that I posted, together with ExecuteScalar might be a better solution.

    • 0