Visual studio 2013 OleDbException was unhandled

0
votes

this is my problem, here is where i am stuck...

https://drive.google.com/file/d/0BxqCNfHpYEJlejVwcGxYVHo1VWM/view?usp=sharing

can you help he... please bear with me if this one seems so obvious...

OleDbConnection con = new OleDbConnection();

            con.ConnectionString = @"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\Users\Sparrow vivek\Documents\Billing.accdb";
            con.Open();
            String query = "select * from user where username='" + textBox1.Text + "'and password='" + textBox2.Text + "'";
            OleDbCommand cmd = new OleDbCommand(query, con);

            //cmd.ExecuteNonQuery();
            OleDbDataReader rd = cmd.ExecuteReader();
            int i = 0;
            String ss = null;
            while (rd.Read())
            {
                i++;
                ss = rd[0].ToString();
            }
            if (i > 0)
            {
                Form4 f4 = new Form4();
                this.Hide();
                f4.Show();
                con.Close();
            }
            else
            {
                label4.Text = "Username or Password not valid";
                label4.ForeColor = Color.Red;
            }
            con.Close();
1
c#visual-studio-2012ms-access-2013
Is your table name is correct? Check for field name and table name.Make sure "user" is your table name not database name..Sandesh
user is an sql keyword...use [user] instead or rename your tablewebber2k6
webber post your answer below so that i can accept it...Sparrow vivek

1 Answers

0
votes

First, you are WIDE OPEN to SQL-Injection. Never concatenate strings for your query... Parameterize them.

String query = "select * from user where username = ? and password = ?";
OleDbCommand cmd = new OleDbCommand(query, con);
cmd.Parameters.Add( "parmUser", textBox1.Text )
cmd.Parameters.Add( "parmPassword", textBox2.Text )

the "?" is a place-holder for the parameters in your query, and they should be added in the same order after the command is actually built before executing it.

SQL-Server, and other engines allow you to name your parameters, but for habit, you should probably still keep them in a same sequential as the query being prepared.

String query = "select * from user where username = @parmUser and password = @parmPassword";
OleDbCommand cmd = new OleDbCommand(query, con);
cmd.Parameters.Add( "parmUser", textBox1.Text )
cmd.Parameters.Add( "parmPassword", textBox2.Text )

However, it could also be because you have no space after your closing quote after name parameter and the AND clause...

+ "'and....
to
+ "' and...