Button does not do anything

Question

1.00/5 (1 vote)

See more:

C#

private void button_Login_Click(object sender, EventArgs e)
    {
     string query = "Select * from Members Where Email= '" + UserEmail + "'AND Password= '" + UserPassword + "'";
             
            dataBase.readDatathroughAdapter(query, dtusers);

            if (dtusers.Rows.Count == 1)
            {
                name = dtusers.Rows[0]["Name"].ToString();
                id = dtusers.Rows[0]["ID"].ToString();
                email = dtusers.Rows[0]["Email"].ToString();
                password = dtusers.Rows[0]["Password"].ToString();
                Surname = dtusers.Rows[0]["Surname"].ToString();
                gender = dtusers.Rows[0]["Gender"].ToString();
             //If i remove those below 
                if(dtusers.Rows[0][6].ToString() == "Admin")
                {
                    MessageBox.Show("Admin");
                    AdminHome adminHome = new AdminHome();
                    adminHome.Show();
                    this.Hide();
                }   
                else if(dtusers.Rows[0][6].ToString() == "User")
                {
                    MessageBox.Show("User");
                    home.Show();
                    this.Hide();
                }                      
              }

I am trying to make an application where members login in and depending on the role they should direct to different forms.
When I run the Application and click on the button it does nothing, but if I remove the if statements and just for example I just let "home.Show()" part I direct me to the home form so it works.

What I have tried:

Tried multiply ways to modify the code but still, it does not work.

Posted 31-May-21 5:30am

durim kolukaj

Updated 31-May-21 5:54am

Add a Solution

Comments

Richard MacCutchan 31-May-21 11:42am

The if statement is testing the number of rows returned from the database. If that is not equal to 1 then the code does nothing.

F-ES Sitecore 31-May-21 12:34pm

You should learn to use the debugger and step through your code a line at a time to get a better idea about what is happening.

durim kolukaj 31-May-21 17:44pm

As you can see I am still a beginner, so that's why I asked for help.

[no name] 31-May-21 23:08pm

var row = dtusers.Rows[0];
name = row["Name"].ToString();
etc.

durim kolukaj 9-Jun-21 6:44am

The problem was that in the DB it was not "Admin" but "Admin " that's why it never fulfilled the if statement.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2021-05-31T05:54:00

You have bigger problems than the one you've spotted...

Firstly, never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'

The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'

Which SQL sees as three separate commands:

SQL

SELECT * FROM MyTable WHERE StreetAddress = 'x';

A perfectly valid SELECT

SQL

DROP TABLE MyTable;

A perfectly valid "delete the table" command

SQL

--'

And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

And for a login screen? All that means is I can also bypass your login and log in as any user I want without knowing the password ...

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

Secondly, Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^]

And remember: if this is web based and you have any European Union users then GDPR applies and that means you need to handle passwords as sensitive data and store them in a safe and secure manner. Text is neither of those and the fines can be .... um ... outstanding. In December 2018 a German company received a relatively low fine of €20,000 for just that.

Combine the two of those together and you are looking at some very serious fines for data protection breaches as that is "gross incompetence" - and the fines are enough to bankrupt medium sized companies pretty easily ... how does 20,000,000 euros or 4% of global turnover whichever is the larger grab you?