Click here to Skip to main content
15,867,704 members
Please Sign up or sign in to vote.
1.00/5 (2 votes)
See more:
C#
private void button1_Click(object sender, EventArgs e)
        {

            if (txtuser.Text == "" && txtpass.Text == "")
            {
                MessageBox.Show("USERNAME and PASSWORD cannot be blank");
                txtuser.Focus();
            }
            else
            {
                SqlConnection cn = new SqlConnection("Data Source=XYZ;Initial Catalog=CRMS;Integrated Security=True");

                cn.Open();
                SqlCommand cmd = new SqlCommand("select * from login where username = '" + txtuser.Text + "' and password = '" + txtpass.Text + "'", cn);
                SqlDataReader dr;
                dr = cmd.ExecuteReader();


                int count = 0;
                while (dr.Read())
                {
                    count += 1;
                }

                if (count == 1)
                {
                    MessageBox.Show("WELCOME!", "Message", MessageBoxButtons.OK, MessageBoxIcon.Information);
                   
                    Home h = new Home();
                    h.Show();
                    this.Hide();


                }
                else if (count >= 0)
                {
                    MessageBox.Show("Wrong Username or Password", "Message", MessageBoxButtons.OK, MessageBoxIcon.Error);
                }

                cn.Close();

                txtuser.Clear();
                txtpass.Clear();
            }
        }


What I have tried:

The above code is working and no problem at all. What I need is to restrict user after 3 unsuccessful attempts and the application will exit. I really don't know where to implement that. Anyone can help please I badly need that.
Thank you in advance!
Posted
Updated 6-Apr-17 14:34pm
v2
Comments
PIEBALDconsult 6-Apr-17 20:07pm    
Please use parameterized statements; do not use string concatenation to insert values into a command.
And please do not put data access code directly in your UI code.
Dave Kreskowiak 6-Apr-17 20:21pm    
What if the user enters a password but not a username? Your IF statement doesn't account for that situation, nor the opposite.
Richard Deeming 7-Apr-17 9:56am    
And you're storing passwords in plain text. You should only ever store a salted hash of the user's password.

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

Hi,

Following is a modified version of your code to suit your needs:

1) Move the counter to a global level of the form.
2) You can use 'HasRows' of the data reader to see if a match was found.
C#
// Move the counter at a global level for the form.
int count = 1;
private void button1_Click(object sender, EventArgs e)
{

    if (txtuser.Text == "" && txtpass.Text == "")
    {
        MessageBox.Show("USERNAME and PASSWORD cannot be blank");
        txtuser.Focus();
    }

    else
    {
        SqlConnection cn = new SqlConnection("Data Source=LAPTOP-SO38VH6F;Initial Catalog=CRMS;Integrated Security=True");
        cn.Open();

        SqlCommand cmd = new SqlCommand("select * from login where username = '" + txtuser.Text + "' and password = '" + txtpass.Text + "'", cn);
        SqlDataReader dr;
        dr = cmd.ExecuteReader();
                
        if (dr.HasRows) // HasRows = true would imply the loging was found.
        {
            MessageBox.Show("WELCOME!", "Message", MessageBoxButtons.OK, MessageBoxIcon.Information);

            cn.Close(); // Close connection
            Home h = new Home();
            h.Show();
            this.Hide();
        }
        else
        {
            if (count++ >= 3)
            {
                MessageBox.Show("Failed in 3 login attempts. Assuming unauthorized access. Terminating!", "Message", MessageBoxButtons.OK, MessageBoxIcon.Error);
                Application.Exit();
            }

            // This is the ELSE part - not terminating yet, but offering 3 attempts.
            MessageBox.Show("Wrong Username or Password", "Message", MessageBoxButtons.OK, MessageBoxIcon.Error);

            cn.Close(); // Close connection
            txtuser.Clear();
            txtpass.Clear();
        }
    }
}
Some suggestions on improving the code:

1) Wrap in TRY-CATCH.
2) It looks like you are storing the password as is in database. Please use encryption to store and retrieve.
3) Mind Sql Injections. Better pass the username and password to a SQL stored procedure or function that will return YES/NO.
 
Share this answer
 
Comments
Member 13111663 6-Apr-17 20:44pm    
Your code is correct thank you so much! it worked to me thank you bro!
Mehedi Shams 6-Apr-17 20:58pm    
Thanks, glad it helped :)!
Nirav Prabtani 7-Apr-17 1:49am    
+5 for your efforts.

Just make sure users will not going to do their homework by ourself.
Mehedi Shams 7-Apr-17 1:52am    
Thanks Nirav, I shall keep that in mind.
Richard Deeming 7-Apr-17 9:57am    
"Better pass the username and password to a SQL stored procedure or function that will return YES/NO."

Using a stored procedure or function won't protect against SQL Injection. You have to use parameterized queries instead.
This article describe the same question.

Three times wrong login credentials then login form will exit[^]
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900