VB.NET DataTable rows
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
-1
I'm trying to make a login form.
I've created a database on my server and created the rows username and password.
I then created a root user with root as password.
but I have a problem with the check if the username and password are correct,
I don't know how to give him the 2 rows.
Dim conn = New SqlConnection("Data Source=SRV-SQL;Initial Catalog=prova;User ID=user;Password=user")
Dim sda = New SqlDataAdapter("select count(*) from tblLogin where username ='" + txtUsername.Text + "' and password='" + txtUserPwd.Text + "'", conn)
Dim dt = New DataTable()
sda.Fill(dt)
If (dt.Rows().ToString() = "1") Then
MsgBox("Logged-in successfully")
Else
MessageBox.Show("The username or the password is wrong!", "Warning!", MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
Table:
sql-server database vb.net login edited Nov 29 '18 at 4:59
GYaN
2,09731432
asked Nov 28 '18 at 17:01
Nome CognomeNome Cognome
377
|
show 1 more comment
-1
I'm trying to make a login form.
I've created a database on my server and created the rows username and password.
I then created a root user with root as password.
but I have a problem with the check if the username and password are correct,
I don't know how to give him the 2 rows.
Dim conn = New SqlConnection("Data Source=SRV-SQL;Initial Catalog=prova;User ID=user;Password=user")
Dim sda = New SqlDataAdapter("select count(*) from tblLogin where username ='" + txtUsername.Text + "' and password='" + txtUserPwd.Text + "'", conn)
Dim dt = New DataTable()
sda.Fill(dt)
If (dt.Rows().ToString() = "1") Then
MsgBox("Logged-in successfully")
Else
MessageBox.Show("The username or the password is wrong!", "Warning!", MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
Table:
sql-server database vb.net login edited Nov 29 '18 at 4:59
GYaN
2,09731432
asked Nov 28 '18 at 17:01
Nome CognomeNome Cognome
377
6
Woah!!! There's a lot wrong with what you have there. Firstly"username ='" + txtUsername.Text + "'". This isn't a parametrised query, and considering the statement you're running, the value oftxtUsernameis coming from user input. This is wide open to injection. You need to fix that, now. Parametrise your query. Next we have"password='" + txtUserPwd.Text + "'"; this very strongly implies you are storing password as plain text. As well as that this is also open to injection never store passwords as plain text. They should ideally be hashed and salted.
– Larnu
Nov 28 '18 at 17:08
1
As a very quick example, what do you think would happen if someone entered their username as'; SELECT * FROM sys.tables; DROP TABLE tblLogin;--or' CREATE LOGIN SuperAdmin WITH PASSWORD= '123', CHECK_POLICY=OFF, CHECK_EXPIRY = OFF; ALTER SERVER ROLE [sysadmin] ADD MEMBER [SuperAdmin];--?
– Larnu
Nov 28 '18 at 17:09
Its just a project im making for fun so i wont be uploading it anywhere and its even my first project with SQL
– Nome Cognome
Nov 28 '18 at 17:15
1
If (dt.Rows().ToString() = "1"does not indicate successful login with the query you're using. The value of that row could be 1 or 0. In either case, you will always get a row. You need to look at the actual value that is returned, not just the rowcount. If you wanted to check via simple rowcount then you would needSELECT * FROM tblLogin WHERE username=.... Or even better,SELECT 1 FROM tblLogin WHERE username=....
– squillman
Nov 28 '18 at 17:32
@squillman I don't see anything wrong with the OP Select statement (except it needs to use parameters). Select * will bring down unnecessary data.
– Mary
Nov 29 '18 at 1:45
|
show 1 more comment
-1
-1
-1
I'm trying to make a login form.
I've created a database on my server and created the rows username and password.
I then created a root user with root as password.
but I have a problem with the check if the username and password are correct,
I don't know how to give him the 2 rows.
Dim conn = New SqlConnection("Data Source=SRV-SQL;Initial Catalog=prova;User ID=user;Password=user")
Dim sda = New SqlDataAdapter("select count(*) from tblLogin where username ='" + txtUsername.Text + "' and password='" + txtUserPwd.Text + "'", conn)
Dim dt = New DataTable()
sda.Fill(dt)
If (dt.Rows().ToString() = "1") Then
MsgBox("Logged-in successfully")
Else
MessageBox.Show("The username or the password is wrong!", "Warning!", MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
Table:
sql-server database vb.net login edited Nov 29 '18 at 4:59
GYaN
2,09731432
asked Nov 28 '18 at 17:01
Nome CognomeNome Cognome
377
I'm trying to make a login form.
I've created a database on my server and created the rows username and password.
I then created a root user with root as password.
but I have a problem with the check if the username and password are correct,
I don't know how to give him the 2 rows.
Dim conn = New SqlConnection("Data Source=SRV-SQL;Initial Catalog=prova;User ID=user;Password=user")
Dim sda = New SqlDataAdapter("select count(*) from tblLogin where username ='" + txtUsername.Text + "' and password='" + txtUserPwd.Text + "'", conn)
Dim dt = New DataTable()
sda.Fill(dt)
If (dt.Rows().ToString() = "1") Then
MsgBox("Logged-in successfully")
Else
MessageBox.Show("The username or the password is wrong!", "Warning!", MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
Table:
sql-server database vb.net login sql-server database vb.net login edited Nov 29 '18 at 4:59
GYaN
2,09731432
asked Nov 28 '18 at 17:01
Nome CognomeNome Cognome
377
edited Nov 29 '18 at 4:59
GYaN
2,09731432
asked Nov 28 '18 at 17:01
Nome CognomeNome Cognome
377
edited Nov 29 '18 at 4:59
GYaN
2,09731432
edited Nov 29 '18 at 4:59
GYaN
2,09731432
edited Nov 29 '18 at 4:59
GYaN
2,09731432
2,09731432
asked Nov 28 '18 at 17:01
Nome CognomeNome Cognome
377
asked Nov 28 '18 at 17:01
Nome CognomeNome Cognome
377
asked Nov 28 '18 at 17:01
Nome CognomeNome Cognome
377
377
6
Woah!!! There's a lot wrong with what you have there. Firstly"username ='" + txtUsername.Text + "'". This isn't a parametrised query, and considering the statement you're running, the value oftxtUsernameis coming from user input. This is wide open to injection. You need to fix that, now. Parametrise your query. Next we have"password='" + txtUserPwd.Text + "'"; this very strongly implies you are storing password as plain text. As well as that this is also open to injection never store passwords as plain text. They should ideally be hashed and salted.
– Larnu
Nov 28 '18 at 17:08
1
As a very quick example, what do you think would happen if someone entered their username as'; SELECT * FROM sys.tables; DROP TABLE tblLogin;--or' CREATE LOGIN SuperAdmin WITH PASSWORD= '123', CHECK_POLICY=OFF, CHECK_EXPIRY = OFF; ALTER SERVER ROLE [sysadmin] ADD MEMBER [SuperAdmin];--?
– Larnu
Nov 28 '18 at 17:09
Its just a project im making for fun so i wont be uploading it anywhere and its even my first project with SQL
– Nome Cognome
Nov 28 '18 at 17:15
1
If (dt.Rows().ToString() = "1"does not indicate successful login with the query you're using. The value of that row could be 1 or 0. In either case, you will always get a row. You need to look at the actual value that is returned, not just the rowcount. If you wanted to check via simple rowcount then you would needSELECT * FROM tblLogin WHERE username=.... Or even better,SELECT 1 FROM tblLogin WHERE username=....
– squillman
Nov 28 '18 at 17:32
@squillman I don't see anything wrong with the OP Select statement (except it needs to use parameters). Select * will bring down unnecessary data.
– Mary
Nov 29 '18 at 1:45
|
show 1 more comment
6
Woah!!! There's a lot wrong with what you have there. Firstly"username ='" + txtUsername.Text + "'". This isn't a parametrised query, and considering the statement you're running, the value oftxtUsernameis coming from user input. This is wide open to injection. You need to fix that, now. Parametrise your query. Next we have"password='" + txtUserPwd.Text + "'"; this very strongly implies you are storing password as plain text. As well as that this is also open to injection never store passwords as plain text. They should ideally be hashed and salted.
– Larnu
Nov 28 '18 at 17:08
1
As a very quick example, what do you think would happen if someone entered their username as'; SELECT * FROM sys.tables; DROP TABLE tblLogin;--or' CREATE LOGIN SuperAdmin WITH PASSWORD= '123', CHECK_POLICY=OFF, CHECK_EXPIRY = OFF; ALTER SERVER ROLE [sysadmin] ADD MEMBER [SuperAdmin];--?
– Larnu
Nov 28 '18 at 17:09
Its just a project im making for fun so i wont be uploading it anywhere and its even my first project with SQL
– Nome Cognome
Nov 28 '18 at 17:15
1
If (dt.Rows().ToString() = "1"does not indicate successful login with the query you're using. The value of that row could be 1 or 0. In either case, you will always get a row. You need to look at the actual value that is returned, not just the rowcount. If you wanted to check via simple rowcount then you would needSELECT * FROM tblLogin WHERE username=.... Or even better,SELECT 1 FROM tblLogin WHERE username=....
– squillman
Nov 28 '18 at 17:32
@squillman I don't see anything wrong with the OP Select statement (except it needs to use parameters). Select * will bring down unnecessary data.
– Mary
Nov 29 '18 at 1:45
6
6
Woah!!! There's a lot wrong with what you have there. Firstly
"username ='" + txtUsername.Text + "'". This isn't a parametrised query, and considering the statement you're running, the value of txtUsername is coming from user input. This is wide open to injection. You need to fix that, now. Parametrise your query. Next we have "password='" + txtUserPwd.Text + "'"; this very strongly implies you are storing password as plain text. As well as that this is also open to injection never store passwords as plain text. They should ideally be hashed and salted.– Larnu
Nov 28 '18 at 17:08
Woah!!! There's a lot wrong with what you have there. Firstly
"username ='" + txtUsername.Text + "'". This isn't a parametrised query, and considering the statement you're running, the value of txtUsername is coming from user input. This is wide open to injection. You need to fix that, now. Parametrise your query. Next we have "password='" + txtUserPwd.Text + "'"; this very strongly implies you are storing password as plain text. As well as that this is also open to injection never store passwords as plain text. They should ideally be hashed and salted.– Larnu
Nov 28 '18 at 17:08
1
1
As a very quick example, what do you think would happen if someone entered their username as
'; SELECT * FROM sys.tables; DROP TABLE tblLogin;-- or ' CREATE LOGIN SuperAdmin WITH PASSWORD= '123', CHECK_POLICY=OFF, CHECK_EXPIRY = OFF; ALTER SERVER ROLE [sysadmin] ADD MEMBER [SuperAdmin];--?– Larnu
Nov 28 '18 at 17:09
As a very quick example, what do you think would happen if someone entered their username as
'; SELECT * FROM sys.tables; DROP TABLE tblLogin;-- or ' CREATE LOGIN SuperAdmin WITH PASSWORD= '123', CHECK_POLICY=OFF, CHECK_EXPIRY = OFF; ALTER SERVER ROLE [sysadmin] ADD MEMBER [SuperAdmin];--?– Larnu
Nov 28 '18 at 17:09
Its just a project im making for fun so i wont be uploading it anywhere and its even my first project with SQL
– Nome Cognome
Nov 28 '18 at 17:15
Its just a project im making for fun so i wont be uploading it anywhere and its even my first project with SQL
– Nome Cognome
Nov 28 '18 at 17:15
1
1
If (dt.Rows().ToString() = "1" does not indicate successful login with the query you're using. The value of that row could be 1 or 0. In either case, you will always get a row. You need to look at the actual value that is returned, not just the rowcount. If you wanted to check via simple rowcount then you would need SELECT * FROM tblLogin WHERE username=.... Or even better, SELECT 1 FROM tblLogin WHERE username=....– squillman
Nov 28 '18 at 17:32
If (dt.Rows().ToString() = "1" does not indicate successful login with the query you're using. The value of that row could be 1 or 0. In either case, you will always get a row. You need to look at the actual value that is returned, not just the rowcount. If you wanted to check via simple rowcount then you would need SELECT * FROM tblLogin WHERE username=.... Or even better, SELECT 1 FROM tblLogin WHERE username=....– squillman
Nov 28 '18 at 17:32
@squillman I don't see anything wrong with the OP Select statement (except it needs to use parameters). Select * will bring down unnecessary data.
– Mary
Nov 29 '18 at 1:45
@squillman I don't see anything wrong with the OP Select statement (except it needs to use parameters). Select * will bring down unnecessary data.
– Mary
Nov 29 '18 at 1:45
|
show 1 more comment
3 Answers
3
active
oldest
votes
0
Comments and explanations in-line.
Private Sub VerifyLogin()
'For the Return Value of the command
Dim RetVal As Integer
' A Using...End Using will ensure that you connectionis closed and disposed event
'it there is an error.
Using conn = New SqlConnection("Data Source=SRV-SQL;Initial Catalog=prova;User ID=user;Password=user")
'You don't need a DataAdapter, just a command
'USE PARAMETERS. Yes, I am yelling :-) Even if you are the only user
'it will save you headaches with syntax.
Using cmd = New SqlCommand("select count(*) from tblLogin where username = @UserName and password= @Password;", conn)
cmd.Parameters.Add("@UserName", SqlDbType.VarChar).Value = txtUsername.Text
cmd.Parameters.Add("@Password", SqlDbType.VarChar).Value = txtUserPwd.Text
'You are only returning one row
'ExecuteScalar returns the value in the first column of the
'first row of the the data
conn.Open()
RetVal = CInt(cmd.ExecuteScalar)
End Using
End Using
'No need to convert to a string just compare the Integer
If RetVal = 1 Then
MsgBox("Logged-in successfully")
Else
MessageBox.Show("The username or the password is wrong!", "Warning!", MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
End Sub
edited Nov 29 '18 at 2:04
Joel Coehoorn
312k96497735
answered Nov 29 '18 at 1:37
MaryMary
4,0332921
add a comment |
0
Private Function CalculateHash(password As String, salt As String) As String
'TODO:
' Suggest pulling the BCrypt from the NuGet gallery for this:
' https://www.nuget.org/packages/BCrypt-Official/
' Just remember that bcyrpt lib encodes salt as part of the password hash, so the function signatures and db table will be different.
End Function
Public Function CheckCredentials(UserName As String, Password As String) As Boolean
Using conn As New SqlConnection("Data Source=SRV-SQL;Initial Catalog=prova;User ID=user;Password=user"), _
' Need to add a "Salt" column to your table, create a new random salt for each user when you create the user
cmd As New SqlCommand("SELECT Salt, PwdHash FROM tblLogin WHERE username = @Username", conn)
'Parameterized queries or NOTHING. String concatention is NOT OKAY here
cmd.Parameters.Add("@UserName", SqlDbType.NVarChar, 50).Value = UserName
conn.Open()
Using rdr As SqlDataReader = cmd.ExecuteReader()
If Not rdr.Read() Then Return False
Dim Salt As String = rdr("Salt")
Dim PwdHash As String = rdr("PwdHash")
'Compare HASHES, not Passwords
Return PwdHash = CalculateHash(Password, Salt As String)
End Using
End Using
End Function
If CheckCredentials(txtUsername.Text, txtUserPwd.Text) Then
MsgBox("Logged-in successfully")
Else
MessageBox.Show("The username or the password is wrong!", "Warning!", MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
answered Nov 29 '18 at 2:14
Joel CoehoornJoel Coehoorn
312k96497735
add a comment |
0
Use DataReader instead, use this code and just call CheckLogin in login button or somthing else.
Sub CheckLogin()
Dim conn = New SqlConnection("Data Source=SRV-SQL;Initial Catalog=prova;User ID=user;Password=user")
conn.Open()
Try
Dim query As String = "select count(*) from tblLogin where username = @username and password= @password "
Dim cmd = New SqlCommand(query, conn)
cmd.Parameters.AddWithValue("@username", txtUsername.Text)
cmd.Parameters.AddWithValue("@password", txtUserPwd.Text)
Dim DR As SqlDataReader = cmd.ExecuteReader()
If DR.HasRows Then
MsgBox("Logged-in successfully")
Else
MessageBox.Show("The username or the password is wrong!", "Warning!", MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
Catch ex As Exception
MsgBox(ex.Message)
End Try
conn.Close()
End Sub
answered Nov 29 '18 at 4:23
PratilectronPratilectron
11
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53524573%2fvb-net-datatable-rows%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
0
Comments and explanations in-line.
Private Sub VerifyLogin()
'For the Return Value of the command
Dim RetVal As Integer
' A Using...End Using will ensure that you connectionis closed and disposed event
'it there is an error.
Using conn = New SqlConnection("Data Source=SRV-SQL;Initial Catalog=prova;User ID=user;Password=user")
'You don't need a DataAdapter, just a command
'USE PARAMETERS. Yes, I am yelling :-) Even if you are the only user
'it will save you headaches with syntax.
Using cmd = New SqlCommand("select count(*) from tblLogin where username = @UserName and password= @Password;", conn)
cmd.Parameters.Add("@UserName", SqlDbType.VarChar).Value = txtUsername.Text
cmd.Parameters.Add("@Password", SqlDbType.VarChar).Value = txtUserPwd.Text
'You are only returning one row
'ExecuteScalar returns the value in the first column of the
'first row of the the data
conn.Open()
RetVal = CInt(cmd.ExecuteScalar)
End Using
End Using
'No need to convert to a string just compare the Integer
If RetVal = 1 Then
MsgBox("Logged-in successfully")
Else
MessageBox.Show("The username or the password is wrong!", "Warning!", MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
End Sub
edited Nov 29 '18 at 2:04
Joel Coehoorn
312k96497735
answered Nov 29 '18 at 1:37
MaryMary
4,0332921
add a comment |
0
Comments and explanations in-line.
Private Sub VerifyLogin()
'For the Return Value of the command
Dim RetVal As Integer
' A Using...End Using will ensure that you connectionis closed and disposed event
'it there is an error.
Using conn = New SqlConnection("Data Source=SRV-SQL;Initial Catalog=prova;User ID=user;Password=user")
'You don't need a DataAdapter, just a command
'USE PARAMETERS. Yes, I am yelling :-) Even if you are the only user
'it will save you headaches with syntax.
Using cmd = New SqlCommand("select count(*) from tblLogin where username = @UserName and password= @Password;", conn)
cmd.Parameters.Add("@UserName", SqlDbType.VarChar).Value = txtUsername.Text
cmd.Parameters.Add("@Password", SqlDbType.VarChar).Value = txtUserPwd.Text
'You are only returning one row
'ExecuteScalar returns the value in the first column of the
'first row of the the data
conn.Open()
RetVal = CInt(cmd.ExecuteScalar)
End Using
End Using
'No need to convert to a string just compare the Integer
If RetVal = 1 Then
MsgBox("Logged-in successfully")
Else
MessageBox.Show("The username or the password is wrong!", "Warning!", MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
End Sub
edited Nov 29 '18 at 2:04
Joel Coehoorn
312k96497735
answered Nov 29 '18 at 1:37
MaryMary
4,0332921
add a comment |
0
0
0
Comments and explanations in-line.
Private Sub VerifyLogin()
'For the Return Value of the command
Dim RetVal As Integer
' A Using...End Using will ensure that you connectionis closed and disposed event
'it there is an error.
Using conn = New SqlConnection("Data Source=SRV-SQL;Initial Catalog=prova;User ID=user;Password=user")
'You don't need a DataAdapter, just a command
'USE PARAMETERS. Yes, I am yelling :-) Even if you are the only user
'it will save you headaches with syntax.
Using cmd = New SqlCommand("select count(*) from tblLogin where username = @UserName and password= @Password;", conn)
cmd.Parameters.Add("@UserName", SqlDbType.VarChar).Value = txtUsername.Text
cmd.Parameters.Add("@Password", SqlDbType.VarChar).Value = txtUserPwd.Text
'You are only returning one row
'ExecuteScalar returns the value in the first column of the
'first row of the the data
conn.Open()
RetVal = CInt(cmd.ExecuteScalar)
End Using
End Using
'No need to convert to a string just compare the Integer
If RetVal = 1 Then
MsgBox("Logged-in successfully")
Else
MessageBox.Show("The username or the password is wrong!", "Warning!", MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
End Sub
edited Nov 29 '18 at 2:04
Joel Coehoorn
312k96497735
answered Nov 29 '18 at 1:37
MaryMary
4,0332921
Comments and explanations in-line.
Private Sub VerifyLogin()
'For the Return Value of the command
Dim RetVal As Integer
' A Using...End Using will ensure that you connectionis closed and disposed event
'it there is an error.
Using conn = New SqlConnection("Data Source=SRV-SQL;Initial Catalog=prova;User ID=user;Password=user")
'You don't need a DataAdapter, just a command
'USE PARAMETERS. Yes, I am yelling :-) Even if you are the only user
'it will save you headaches with syntax.
Using cmd = New SqlCommand("select count(*) from tblLogin where username = @UserName and password= @Password;", conn)
cmd.Parameters.Add("@UserName", SqlDbType.VarChar).Value = txtUsername.Text
cmd.Parameters.Add("@Password", SqlDbType.VarChar).Value = txtUserPwd.Text
'You are only returning one row
'ExecuteScalar returns the value in the first column of the
'first row of the the data
conn.Open()
RetVal = CInt(cmd.ExecuteScalar)
End Using
End Using
'No need to convert to a string just compare the Integer
If RetVal = 1 Then
MsgBox("Logged-in successfully")
Else
MessageBox.Show("The username or the password is wrong!", "Warning!", MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
End Sub
edited Nov 29 '18 at 2:04
Joel Coehoorn
312k96497735
answered Nov 29 '18 at 1:37
MaryMary
4,0332921
edited Nov 29 '18 at 2:04
Joel Coehoorn
312k96497735
edited Nov 29 '18 at 2:04
Joel Coehoorn
312k96497735
edited Nov 29 '18 at 2:04
Joel Coehoorn
312k96497735
312k96497735
answered Nov 29 '18 at 1:37
MaryMary
4,0332921
answered Nov 29 '18 at 1:37
MaryMary
4,0332921
answered Nov 29 '18 at 1:37
MaryMary
4,0332921
4,0332921
add a comment |
add a comment |
0
Private Function CalculateHash(password As String, salt As String) As String
'TODO:
' Suggest pulling the BCrypt from the NuGet gallery for this:
' https://www.nuget.org/packages/BCrypt-Official/
' Just remember that bcyrpt lib encodes salt as part of the password hash, so the function signatures and db table will be different.
End Function
Public Function CheckCredentials(UserName As String, Password As String) As Boolean
Using conn As New SqlConnection("Data Source=SRV-SQL;Initial Catalog=prova;User ID=user;Password=user"), _
' Need to add a "Salt" column to your table, create a new random salt for each user when you create the user
cmd As New SqlCommand("SELECT Salt, PwdHash FROM tblLogin WHERE username = @Username", conn)
'Parameterized queries or NOTHING. String concatention is NOT OKAY here
cmd.Parameters.Add("@UserName", SqlDbType.NVarChar, 50).Value = UserName
conn.Open()
Using rdr As SqlDataReader = cmd.ExecuteReader()
If Not rdr.Read() Then Return False
Dim Salt As String = rdr("Salt")
Dim PwdHash As String = rdr("PwdHash")
'Compare HASHES, not Passwords
Return PwdHash = CalculateHash(Password, Salt As String)
End Using
End Using
End Function
If CheckCredentials(txtUsername.Text, txtUserPwd.Text) Then
MsgBox("Logged-in successfully")
Else
MessageBox.Show("The username or the password is wrong!", "Warning!", MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
answered Nov 29 '18 at 2:14
Joel CoehoornJoel Coehoorn
312k96497735
add a comment |
0
Private Function CalculateHash(password As String, salt As String) As String
'TODO:
' Suggest pulling the BCrypt from the NuGet gallery for this:
' https://www.nuget.org/packages/BCrypt-Official/
' Just remember that bcyrpt lib encodes salt as part of the password hash, so the function signatures and db table will be different.
End Function
Public Function CheckCredentials(UserName As String, Password As String) As Boolean
Using conn As New SqlConnection("Data Source=SRV-SQL;Initial Catalog=prova;User ID=user;Password=user"), _
' Need to add a "Salt" column to your table, create a new random salt for each user when you create the user
cmd As New SqlCommand("SELECT Salt, PwdHash FROM tblLogin WHERE username = @Username", conn)
'Parameterized queries or NOTHING. String concatention is NOT OKAY here
cmd.Parameters.Add("@UserName", SqlDbType.NVarChar, 50).Value = UserName
conn.Open()
Using rdr As SqlDataReader = cmd.ExecuteReader()
If Not rdr.Read() Then Return False
Dim Salt As String = rdr("Salt")
Dim PwdHash As String = rdr("PwdHash")
'Compare HASHES, not Passwords
Return PwdHash = CalculateHash(Password, Salt As String)
End Using
End Using
End Function
If CheckCredentials(txtUsername.Text, txtUserPwd.Text) Then
MsgBox("Logged-in successfully")
Else
MessageBox.Show("The username or the password is wrong!", "Warning!", MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
answered Nov 29 '18 at 2:14
Joel CoehoornJoel Coehoorn
312k96497735
add a comment |
0
0
0
Private Function CalculateHash(password As String, salt As String) As String
'TODO:
' Suggest pulling the BCrypt from the NuGet gallery for this:
' https://www.nuget.org/packages/BCrypt-Official/
' Just remember that bcyrpt lib encodes salt as part of the password hash, so the function signatures and db table will be different.
End Function
Public Function CheckCredentials(UserName As String, Password As String) As Boolean
Using conn As New SqlConnection("Data Source=SRV-SQL;Initial Catalog=prova;User ID=user;Password=user"), _
' Need to add a "Salt" column to your table, create a new random salt for each user when you create the user
cmd As New SqlCommand("SELECT Salt, PwdHash FROM tblLogin WHERE username = @Username", conn)
'Parameterized queries or NOTHING. String concatention is NOT OKAY here
cmd.Parameters.Add("@UserName", SqlDbType.NVarChar, 50).Value = UserName
conn.Open()
Using rdr As SqlDataReader = cmd.ExecuteReader()
If Not rdr.Read() Then Return False
Dim Salt As String = rdr("Salt")
Dim PwdHash As String = rdr("PwdHash")
'Compare HASHES, not Passwords
Return PwdHash = CalculateHash(Password, Salt As String)
End Using
End Using
End Function
If CheckCredentials(txtUsername.Text, txtUserPwd.Text) Then
MsgBox("Logged-in successfully")
Else
MessageBox.Show("The username or the password is wrong!", "Warning!", MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
answered Nov 29 '18 at 2:14
Joel CoehoornJoel Coehoorn
312k96497735
Private Function CalculateHash(password As String, salt As String) As String
'TODO:
' Suggest pulling the BCrypt from the NuGet gallery for this:
' https://www.nuget.org/packages/BCrypt-Official/
' Just remember that bcyrpt lib encodes salt as part of the password hash, so the function signatures and db table will be different.
End Function
Public Function CheckCredentials(UserName As String, Password As String) As Boolean
Using conn As New SqlConnection("Data Source=SRV-SQL;Initial Catalog=prova;User ID=user;Password=user"), _
' Need to add a "Salt" column to your table, create a new random salt for each user when you create the user
cmd As New SqlCommand("SELECT Salt, PwdHash FROM tblLogin WHERE username = @Username", conn)
'Parameterized queries or NOTHING. String concatention is NOT OKAY here
cmd.Parameters.Add("@UserName", SqlDbType.NVarChar, 50).Value = UserName
conn.Open()
Using rdr As SqlDataReader = cmd.ExecuteReader()
If Not rdr.Read() Then Return False
Dim Salt As String = rdr("Salt")
Dim PwdHash As String = rdr("PwdHash")
'Compare HASHES, not Passwords
Return PwdHash = CalculateHash(Password, Salt As String)
End Using
End Using
End Function
If CheckCredentials(txtUsername.Text, txtUserPwd.Text) Then
MsgBox("Logged-in successfully")
Else
MessageBox.Show("The username or the password is wrong!", "Warning!", MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
answered Nov 29 '18 at 2:14
Joel CoehoornJoel Coehoorn
312k96497735
edited Nov 29 '18 at 3:03
answered Nov 29 '18 at 2:14
Joel CoehoornJoel Coehoorn
312k96497735
answered Nov 29 '18 at 2:14
Joel CoehoornJoel Coehoorn
312k96497735
answered Nov 29 '18 at 2:14
Joel CoehoornJoel Coehoorn
312k96497735
312k96497735
add a comment |
add a comment |
0
Use DataReader instead, use this code and just call CheckLogin in login button or somthing else.
Sub CheckLogin()
Dim conn = New SqlConnection("Data Source=SRV-SQL;Initial Catalog=prova;User ID=user;Password=user")
conn.Open()
Try
Dim query As String = "select count(*) from tblLogin where username = @username and password= @password "
Dim cmd = New SqlCommand(query, conn)
cmd.Parameters.AddWithValue("@username", txtUsername.Text)
cmd.Parameters.AddWithValue("@password", txtUserPwd.Text)
Dim DR As SqlDataReader = cmd.ExecuteReader()
If DR.HasRows Then
MsgBox("Logged-in successfully")
Else
MessageBox.Show("The username or the password is wrong!", "Warning!", MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
Catch ex As Exception
MsgBox(ex.Message)
End Try
conn.Close()
End Sub
answered Nov 29 '18 at 4:23
PratilectronPratilectron
11
add a comment |
0
Use DataReader instead, use this code and just call CheckLogin in login button or somthing else.
Sub CheckLogin()
Dim conn = New SqlConnection("Data Source=SRV-SQL;Initial Catalog=prova;User ID=user;Password=user")
conn.Open()
Try
Dim query As String = "select count(*) from tblLogin where username = @username and password= @password "
Dim cmd = New SqlCommand(query, conn)
cmd.Parameters.AddWithValue("@username", txtUsername.Text)
cmd.Parameters.AddWithValue("@password", txtUserPwd.Text)
Dim DR As SqlDataReader = cmd.ExecuteReader()
If DR.HasRows Then
MsgBox("Logged-in successfully")
Else
MessageBox.Show("The username or the password is wrong!", "Warning!", MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
Catch ex As Exception
MsgBox(ex.Message)
End Try
conn.Close()
End Sub
answered Nov 29 '18 at 4:23
PratilectronPratilectron
11
add a comment |
0
0
0
Use DataReader instead, use this code and just call CheckLogin in login button or somthing else.
Sub CheckLogin()
Dim conn = New SqlConnection("Data Source=SRV-SQL;Initial Catalog=prova;User ID=user;Password=user")
conn.Open()
Try
Dim query As String = "select count(*) from tblLogin where username = @username and password= @password "
Dim cmd = New SqlCommand(query, conn)
cmd.Parameters.AddWithValue("@username", txtUsername.Text)
cmd.Parameters.AddWithValue("@password", txtUserPwd.Text)
Dim DR As SqlDataReader = cmd.ExecuteReader()
If DR.HasRows Then
MsgBox("Logged-in successfully")
Else
MessageBox.Show("The username or the password is wrong!", "Warning!", MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
Catch ex As Exception
MsgBox(ex.Message)
End Try
conn.Close()
End Sub
answered Nov 29 '18 at 4:23
PratilectronPratilectron
11
Use DataReader instead, use this code and just call CheckLogin in login button or somthing else.
Sub CheckLogin()
Dim conn = New SqlConnection("Data Source=SRV-SQL;Initial Catalog=prova;User ID=user;Password=user")
conn.Open()
Try
Dim query As String = "select count(*) from tblLogin where username = @username and password= @password "
Dim cmd = New SqlCommand(query, conn)
cmd.Parameters.AddWithValue("@username", txtUsername.Text)
cmd.Parameters.AddWithValue("@password", txtUserPwd.Text)
Dim DR As SqlDataReader = cmd.ExecuteReader()
If DR.HasRows Then
MsgBox("Logged-in successfully")
Else
MessageBox.Show("The username or the password is wrong!", "Warning!", MessageBoxButtons.OK, MessageBoxIcon.Error)
End If
Catch ex As Exception
MsgBox(ex.Message)
End Try
conn.Close()
End Sub
answered Nov 29 '18 at 4:23
PratilectronPratilectron
11
answered Nov 29 '18 at 4:23
PratilectronPratilectron
11
answered Nov 29 '18 at 4:23
PratilectronPratilectron
11
answered Nov 29 '18 at 4:23
PratilectronPratilectron
11
11
add a comment |
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53524573%2fvb-net-datatable-rows%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
6
Woah!!! There's a lot wrong with what you have there. Firstly
"username ='" + txtUsername.Text + "'". This isn't a parametrised query, and considering the statement you're running, the value oftxtUsernameis coming from user input. This is wide open to injection. You need to fix that, now. Parametrise your query. Next we have"password='" + txtUserPwd.Text + "'"; this very strongly implies you are storing password as plain text. As well as that this is also open to injection never store passwords as plain text. They should ideally be hashed and salted.– Larnu
Nov 28 '18 at 17:08
1
As a very quick example, what do you think would happen if someone entered their username as
'; SELECT * FROM sys.tables; DROP TABLE tblLogin;--or' CREATE LOGIN SuperAdmin WITH PASSWORD= '123', CHECK_POLICY=OFF, CHECK_EXPIRY = OFF; ALTER SERVER ROLE [sysadmin] ADD MEMBER [SuperAdmin];--?– Larnu
Nov 28 '18 at 17:09
Its just a project im making for fun so i wont be uploading it anywhere and its even my first project with SQL
– Nome Cognome
Nov 28 '18 at 17:15
1
If (dt.Rows().ToString() = "1"does not indicate successful login with the query you're using. The value of that row could be 1 or 0. In either case, you will always get a row. You need to look at the actual value that is returned, not just the rowcount. If you wanted to check via simple rowcount then you would needSELECT * FROM tblLogin WHERE username=.... Or even better,SELECT 1 FROM tblLogin WHERE username=....– squillman
Nov 28 '18 at 17:32
@squillman I don't see anything wrong with the OP Select statement (except it needs to use parameters). Select * will bring down unnecessary data.
– Mary
Nov 29 '18 at 1:45