Home/ Questions/Q 6064987
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T09:20:25+00:00

I’m new to Visual Studio 2010 and I’m trying to create a Login form.

  • 0

I’m new to Visual Studio 2010 and I’m trying to create a Login form.

I have this code.

        OdbcConnection con = new OdbcConnection("host=localhost;usr=root;password=admin;db=timekeeping;");
        OdbcCommand cmd = new OdbcCommand("SELECT * FROM receptionist WHERE username = '" + username_login.ToString() + "' AND password = '" + password_login.ToString() + "';");
        cmd.Connection = con;
        con.Open();
        OdbcDataReader reader = cmd.ExecuteReader();
        while (reader.Read())
        {
            if (reader.GetString(0) != 1)
            { return false; }
            else
            { return true; }
        }
        cmd.Connection.Close();
        reader.Dispose();
        cmd.Dispose();

There are errors but I don’t know what is the problem with that.
Here’s a screenshot:

enter image description here

Hoping that someone ca help me..

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Your code is vulnerable to SQL Injection. Never use string concatenations when building your SQL queries. Use parametrized queries instead:

    public bool IsValid(string username, string password)
{
    using (var conn = new OdbcConnection("host=localhost;usr=root;password=admin;db=timekeeping;"))
    using (var cmd = conn.CreateCommand())
    {
        conn.Open();
        cmd.CommandText = "SELECT count(*) FROM receptionist WHERE username = @username AND password = @password;";
        cmd.Parameters.AddWithValue("@username", username);
        cmd.Parameters.AddWithValue("@password", password);
        var count = (long)cmd.ExecuteScalar();
        return count > 0;
    }
}

    and then call like this:

    bool isValid = IsValid(username_login.ToString(), password_login.ToString());

    Also if you are using SQL Server you are better with SqlConenction instead of ODBC driver.

    • 0