C# WPF login SQL bool method get the user

Question

0.00/5 (No votes)

See more:

Hello all,
I have a login method to check if a user is a member in my DB. My login method is only a bool and I am wondering how can I grab that current users data so I can pass it to the next window. I am checking textboxes to see if the text is valid.
One way I know I could solve this is to change my login method so it returns a user then I would have that specific user but I would like to see if I could grab the user data by checking if the data is in the DB.
Here is what I have:

C#

//Login XAML window.
private void BtnLoginUser_Click(object sender, RoutedEventArgs e){
            if (string.IsNullOrEmpty(txtUsername.Text)) {
                //verify and enter username.
                MessageBox.Show("Enter your username.", "Empty", MessageBoxButton.OK, MessageBoxImage.Information);                txtUsername.Focus();
                return;
            }
            else if (string.IsNullOrEmpty(txtPassword.Password)) {
                MessageBox.Show("Enter your password.", "Empty", MessageBoxButton.OK, MessageBoxImage.Information);                txtPassword.Focus();
                return;
            }
            else {
                try {
                    if(SQLuserAccess.UserLogin(txtUsername.Text, txtPassword.Password)){

                    }
                }
            }
        }

//SQL login method
        public static bool UserLogin(string username, string password) {
            bool valid = false;
            //SQL Login Query.
            string SQLloginQuery = "SELECT * FROM Users WHERE Username=@username AND Password=@password";
            SqlCommand cmdLogin = new SqlCommand(SQLloginQuery, connection);
            cmdLogin.Parameters.AddWithValue("@username", username);
            cmdLogin.Parameters.AddWithValue("@password", password);
            try {
                connection.Open();
                int result = (int)cmdLogin.ExecuteScalar();
                if (result > 0) {
                    valid = true;
                    MessageBox.Show("Login success");
                }
                else   MessageBox.Show("Login Failed");
            }
            catch (Exception ex) {
                ex.Message.ToString();
                throw ex;
            }
            finally{
                connection.Close();
            }
            return valid;
        }
//This is a method I use to get the user
        public static User GetUserById(int userId{            
            string SQLreadQuery = "SELECT Username, Password, IsAdmin, UserCreatedDate " +
                                  "FROM Users WHERE UserId = " + userId; //or SELECT ea column or *.
            SqlCommand cmdRead = new SqlCommand(SQLreadQuery, connection);
            try{
                connection.Open();
                SqlDataReader reader = cmdRead.ExecuteReader(CommandBehavior.SingleRow);
                if(reader.Read()){
                    User user = new User();
                    user.UserID = Convert.ToInt32(reader["UserId"]);
                    user.Username = reader["Username"].ToString();
                    user.Password = reader["Password"].ToString();
                    user.IsAdmin = Convert.ToBoolean(reader["IsAdmin"]);
                    user.UserCreatedDate = Convert.ToDateTime(reader["UserCreatedDate"]);
                    return user;
                }
                else{
                    return null;
                }
            }
            catch(Exception ex){
                ex.Message.ToString();
                return null;
            }
            finally{
                connection.Close();
            }
        }

What I have tried:

I know i can solve this by returning a User instead of Bool but i would like to see if i can do it like this instead
Maybe if i return a user object with GetUserById() then i could retrieve the data.
do i want to store the data in a datatable? or just in a client object

Posted 4-Nov-18 20:30pm

TheBigBearNow

Updated 5-Nov-18 2:54am

Add a Solution

Comments

Richard Deeming 6-Nov-18 9:26am

You're storing passwords in plain text. Don't do that!

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

Richard Deeming 6-Nov-18 9:29am

string SQLreadQuery = "SELECT Username, Password, IsAdmin, UserCreatedDate " 
    + "FROM Users WHERE UserId = " + userId;

Why?! You already know how to use parameters, so why do the wrong thing here?

In this particular case, since the parameter is an int, you've probably avoided a SQL Injection vulnerability. But you're still encouraging bad habits. And when you, or someone else, changes the code at a later date to pass a string instead, there's no warning of the critical security vulnerability that will introduce.

Also, using string concatenation instead of parameters can have an adverse effect on performance. SQL will be unable to use a cached execution plan for the query, since the query will be different every time.

Use parameters. Use them every time, even when you "know" that it would be safe not to.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

#realJSOP · Answer 1 · 2018-11-05T02:54:00

Solution 1

Create a static class that contains the desired user data.

When the user logs in, capture the desired user data into your static class, and you can still return a bool from your login method.

Posted 5-Nov-18 2:54am

#realJSOP