create a login page in vb.net by c# & mysql but it shows error message connection must be valid and open

1
votes

private void admin_submit_button_Click(object sender, EventArgs e) { try { string myConnection = "datasource= localhost;port=3306;username=root;password=root";

           MySqlConnection myConn = new MySqlConnection(myConnection);

           MySqlCommand SelectCommand = new MySqlCommand("select * from mws.login_info where login_id='" + this.admin_id_textbox + "'and login_password1='" + this.admin_password_textbox1 + "' and login_password2='" + this.admin_password_textbox2 + "'");
           MySqlDataReader myReader;
           myConn.Open();
           myReader = SelectCommand.ExecuteReader();
           int count = 0;
           while (myReader.Read())
           {
               count = count + 1;
           }
           if (count == 1)
           {
               MessageBox.Show("username and password is correct");
           }
           else
               MessageBox.Show("username and password not correct");
           myConn.Close();
       }
        catch(Exception ex)
       {
           MessageBox.Show(ex.Message);





        }
    }
}

}

1
c#mysqlasp.netvb.net

1 Answers

0
votes

You have not associated the command with the connection. You code lacks of the following line

SelectCommand.Connection = myConn ;

Said that, imagine that I write in your admin_id_textbox the following text

' OR login_id like '%' --

what happen to your checks for the correct login? It is called Sql Injection and it is a very dangerous situation for every kind of database access.

Use always a parameterized query to build sql commands, in particular when part of your command is built using user input text

private void admin_submit_button_Click(object sender, EventArgs e) 
{ 
    try 
    { 
       string cmdText = @"select * from mws.login_info 
                         where login_id=@id and login_password1=@pwd
                         and login_password2=@pwd2";
       string myConnection = "datasource= localhost;port=3306;username=root;password=root";
       using(MySqlConnection myConn = new MySqlConnection(myConnection))
       using(MySqlCommand SelectCommand = new MySqlCommand(cmdText, myConnection))
       {
           myConn.Open();
           SelectCommand.Parameters.AddWithValue("@id", this.admin_id_textbox);
           SelectCommand.Parameters.AddWithValue("@pwd",this.admin_password_textbox1);
           SelectCommand.Parameters.AddWithValue("@pwd2",this.admin_password_textbox2);
           using(MySqlDataReader myReader = SelectCommand.ExecuteReader())
           {
               if(myReader.HasRows)
                   MessageBox.Show("username and password is correct");
               else
                    MessageBox.Show("username and password not correct");
           }
       }
    }
    catch(Exception ex)
    {
       MessageBox.Show(ex.Message);
    }