The code below is ran when user presses the Login button:
MySql.Data.MySqlClient.MySqlConnection connection;
string server = "s570.use8.mysecurecloudhost.com";
string database = "nextgene_NGH";
string uid = "nextgene_NGH";
string password = "EXAMPLE PASSWORD";
string ssl = "None";
string connectionString;
connectionString = "SERVER=" + server + ";" + "DATABASE=" +
database + ";" + "UID=" + uid + ";" + "PASSWORD=" + password + ";" + "SSL Mode=" + ssl;
int i;
connection = new MySqlConnection(connectionString);
try
{
i = 0;
connection.Open();
MessageBox.Show("Connection Successful!");
MySqlCommand cmd = connection.CreateCommand();
cmd.CommandType = CommandType.Text;
cmd.CommandText = "SELECT * FROM `core_members` where name='" + maskedTextBox1.Text + "' and exact_password='" + maskedTextBox2.Text + "'";
cmd.ExecuteNonQuery();
DataTable dt = new DataTable();
MySqlDataAdapter da = new MySqlDataAdapter(cmd);
da.Fill(dt);
i = Convert.ToInt32(dt.Rows.Count.ToString());
if (i == 0)
{
MessageBox.Show("Login Failed.");
//button2.Visible = true;
}
else
{
MessageBox.Show("Login Successful.");
}
}
catch (Exception ex)
{
MessageBox.Show("Error, Something Happened!");
}
connection.Close();
Obviously, I have changed my password since I’m sharing this code online but the password works.It get’s to show :
MessageBox.Show("Connection Successful!");
and then immediately shows:
MessageBox.Show("Error, Something Happened!");
Below is a photo of the actual database:
what is wrong with my code as it automatically gives after after showing the connection was successful?
I was hoping it was successful and allow me to log in successfully…
2
Answers
First, Catching an error that just says "an error happened" is useless. Obviously you know that the database connection succeeded, so the error must be something after that.
Now that you can see the actual error you can dig further, but I see two potential reasons for the failure:
You are concatenating strings instead of using parameters, which is bad enough, but doing it when dealing with passwords is a mortal sin. It’s possible that the password contains special characters (like a single quote) that don’t work well with string concatenation
You are loading the results to a datatable just to see if a row exists. A simpler way would just to
SELECT COUNT(*), useExecuteScalar, and look at the result (0 means no rows fit the criteria). It’s possible that the DataTable is not filled the way you expect when there are no results.You should also look up using the dispose pattern so that your connections are closed gracefully when you’re done. That’s probably not the problem here but it’s a good habit to get into.
There are a number of improvements in here:
The change that most directly relates to the issue at hand is the changing the "Something happened" error to instead give you a meaningful message… but some of the others are probably more important, including better password handling, proper connection disposal, and parameterized queries.