Click here to Skip to main content
15,889,216 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
VB
Private Sub Button1_Click_1(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        Dim Staz As Database1DataSet.AdminLoginRow()
       Staz = Database1DataSet1.AdminLogin.Select("AdminUsername'" & TextBox1.Text & "'")
        If Staz(0).AdminUsername.Equals(TextBox1.Text) Then
            If Staz(0).AdminPassword.Equals(TextBox2.Text) Then
                Me.Hide()
                Staff_ManageAccounts.Show()
            End If

            Dim Kaz As Database1DataSet.ProfessorLoginRow()
            Kaz = Database1DataSet1.ProfessorLogin.Select("ProfessorUsername'" &  TextBox1.Text & "'")
            If Kaz(0).ProfessorUsername.Equals(TextBox1.Text) Then
                If Kaz(0).ProfessorPassword.Equals(TextBox2.Text) Then
                    Me.Hide()
                    Faculty_Main.Show()
                End If
            End If
        End If
    End Sub
Posted
Updated 6-Dec-13 2:51am
v5
Comments
Mike Meinz 6-Dec-13 8:28am    
These two statements do not look right. AdminUsername and ProfessortUsername are properties of Staz and Kaz but you have them in quotes and you have apostrophes within the quotes. On which line do you get the error message? What parameter(s) does the Database1DataSet1.AdminLogin.Select method expect?

Database1DataSet1.AdminLogin.Select("AdminUsername'" & TextBox1.Text & "'")
Database1DataSet1.ProfessorLogin.Select("ProfessorUsername'" & TextBox1.Text & "'")


Also, passing a textbox value can allow SQL Injection Attacks. It is a best practice to create parameterized queries using the SQLParameter class to prevent SQL Injection Attacks. Furthermore, doing so provides better performance.
Reverendo Gabriel 6-Dec-13 19:47pm    
Staz = Database1DataSet1.AdminLogin.Select("AdminUsername'" & TextBox1.Text & "'")
Reverendo Gabriel 6-Dec-13 19:58pm    
the Database1Dataset1.AdminLogin.Select, calls the Table in the Database1.sdf called AdminLogin... Where"AdminUsername" is one of the columns in the AdminLogin Table... I am trying to understand the concept of creating a login that is connected to the Database.. Right now I am not focused on the possibilities of an attack yet. I am trying to create a Desktop Based Grading System... And mostly all of the TextBox and DataGridView that I would be using is connected to each other and especially the Database... Do you have any suggestions?
Mike Meinz 7-Dec-13 7:40am    
What parameter(s) does the Database1DataSet1.AdminLogin.Select method expect?

A parameter formatted like this does not make sense to me:
AdminUsername'" & TextBox1.Text & "'"

What does the Database1DataSet1.AdminLogin.Select method look like? Please use the Improve Question link above and post the code for Database1DataSet1.AdminLogin.Select.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900