Home/ Questions/Q 4017036
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T09:48:45+00:00

Well I am working on a simple login screen for a game and it

  • 0

Well I am working on a simple login screen for a game and it uses username and password authentication. It connects to the database checks to see if username and password are there and then sees if it matches the data. If you insert the right username and password it works fine, but if you do one that is not in the database it fails and crashes. I was wondering am I doing this right? code below.

private void loginButton_Click(object sender, EventArgs e)
{
   string connectionString = "datasource=STUFFZ;database=users";
   string select = "SELECT Username, Password FROM RegularUsers WHERE Username = '" + usernameBox.Text + "' AND Password = '" + passwordBox.Text + "'";

   MySqlConnection my = new MySqlConnection(connectionString);

   MySqlCommand command = new MySqlCommand(select, my);
   my.Open();

   //String strResult = String.Empty;
   //strResult = (String)command.ExecuteScalar();
   string[] bba = new string[2];
   bba[1] = (String)command.ExecuteScalar();
   my.Close();

   if (bba[1].Equals(usernameBox.Text))
   {
      AdminPanel bb = new AdminPanel();
      bb.Show();
   }
   else
   {
      MessageBox.Show("INCORRECT USER/PASS!");
   }
}

The incorrect USER/PASS box never shows if you insert it wrong.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Couple of comments:

    • don’t string together your SQL queries – use parametrized queries to avoid SQL injection
    • you should put your SqlConnection and SqlCommand into using(....) { ... } blocks
    • if you return two values, you should not use .ExecuteScalar() – that call only works for single row, single column returns

    So all in all, your code should be something like this:

    private void loginButton_Click(object sender, EventArgs e)
{
   string connectionString = "datasource=STUFFZ;database=users";
   string select = "SELECT Username, Password FROM dbo.RegularUsers " + 
                   "WHERE Username = @user AND Password = @Pwd"

   using(MySqlConnection myConn = new MySqlConnection(connectionString))
   using(MySqlCommand command = new MySqlCommand(select, myConn))
   { 
       command.Parameters.Add("@user", SqlDbType.VarChar, 50);
       command.Parameters["@user"].Value = usernameBox.Text.Trim();

       command.Parameters.Add("@pwd", SqlDbType.VarChar, 50);
       command.Parameters["@pwd"].Value = passwordBox.Text.Trim();

       myConn.Open();

       using(SqlDataReader rdr = command.ExecuteReader())
       {
          if(rdr.Read())
          {
             string userName = rdr.GetString(0);
             string password = rdr.GetString(1);

             rdr.Close();

             // here compare those values and do whatever you need to do
          }
       }

       myConn.Close();
   }    
}

    Furthermore, I think this code is a tad messy since you’re doing data access (selecting from SQL Server) and UI access (reading out textboxes, popping up dialog boxes) in the same snippet of code-

    You should strive for more separation of concerns, e.g.

    • define a method CheckUserName that takes in a user name and password as string, and returns e.g. a bool
    • from your event handler, get the information from the UI (read out the textboxes), call that separate function with these values, and then handle the returned value

    But mixing UI, logic and data access code – it gets messy and a maintenance nightmare really quickly!

    • 0