I am creating a login system using c#. I want to check if the username the user enters is already part of the database. This is the code that connects to a data adapter and then updates this once I have taken the data from the check boxes.
NorthwindDataSetTableAdapters.CustomersTableAdapter north = new NorthwindDataSetTableAdapters.CustomersTableAdapter();
NorthwindDataSet.CustomersDataTable northtable = north.GetData();
NorthwindDataSet northwindDataSet1 = new NorthwindDataSet();
NorthwindDataSet.CustomersRow newCustomersRow =
northwindDataSet1.Customers.NewCustomersRow();
newCustomersRow.Username = TextBox1.Text.ToString();
newCustomersRow.Password = TextBox2.Text.ToString() ;
newCustomersRow.FirstName = TextBox3.Text.ToString();
newCustomersRow.Surname = TextBox4.Text.ToString();
northwindDataSet1.Customers.Rows.Add(newCustomersRow);
north.Update(northwindDataSet1.Customers);
northwindDataSet1.Customers.AcceptChanges();
if (Page.IsValid)
Response.Redirect("thankyou.aspx");
What is the best way to check the Username field for duplicate data?
Call me crazy, but I'd just do something like (using "dapper")
string username = ...
int existingId = connection.Query<int?>(
#"select top 1 Id from Users where UserName = #username",
new { username }).FirstOrDefault();
if(existingId.HasValue) {
// not available - do something
}
Note that there is a race condition here so you should still have a unique constraint on the column itself. You might also want to thing about case sensitivity: is "Fred" the same username as "fred"?
Why not to mark the table Column as primary key or unique? Then you handle the exception inside a try{}catcht{} statement.
Have you tried using DataTable.Select? Something like:
var UserFound = NorthTable.Select("UserName = '" + TextBox1.Text + "'");
if(UserFound.Length != 0)
{
// do something...
}
Related
I have a table namedUsersin SQL server which retains password,email and UserID which is the primary key.
Then in my project I have two forms,first form gets password and name of users and then if entered password and email exist in the table it connects to second form and if not it does not.
then to connect to bank I am using Entity Framework. this is my connection string:
int UserID = 2;
UsersEntities db = new UsersEntities();
var find = db.CalUsers.Find(UserID);
if (find.Email == txtEmail.Text && find.Password == txtPassword.Text)
{
SmallCalculator example = new SmallCalculator();
example.ShowDialog();
}
I know I must use UserID as primary key but I dont know how to write UserIDto get all rows?now it just gets row2
int UserID = 2; // you don't actually know this value since user is not giving it to you
UsersEntities db = new UsersEntities();
//hopefully email address has a unique constraint:
var find = db.CalUsers.FirstOrDefault(x=>x.Email == txtEmail.Text.Trim());
if(find == null) return; //do something else
if (find.Email == txtEmail.Text && find.Password == txtPassword.Text)
{
SmallCalculator example = new SmallCalculator();
example.ShowDialog();
}
So I need to get the value from from the Query - in the AS TrueOrFalse field.
I'm confused on how I should go about doing that.
In basic thought/wording: I need to see if there exists a value in BookID (that will match the RequestQuery) and then a value exists in the UserID (that matches/comes from the Session Variable) From my RatingsReviews Table.
I don't have access to the .ExecuteScalar Method.
I know the query should work, it works in Access (with slight modifications to use the parameter values) and, I am using the "BookID" RequestQuery and the "UserID" Session Variable for other things that work as intended.
This is what is in my WebPageName.aspx.cs file:
SqlDataSource objDS2 = new SqlDataSource();
objDS2.ProviderName = System.Configuration.ConfigurationManager.ConnectionStrings["ConnectionString"].ProviderName;
objDS2.ConnectionString = System.Configuration.ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
//Puts the Amount of times that the Session User ID (who's logged in) appears with the Requested Query String of the Book ID
objDS2.SelectCommand = "SELECT COUNT (*) AS TrueOrFalse FROM [RatingsReviews] WHERE ([UserID]" + Session["UserID"].ToString() + " AND [BookID] =" + Request.QueryString["id"].ToString() + ")";
//Get Value from the TrueOrFalse Field from the QUERY somehow
//IF the The value in TrueOrFalse Field is 0,
// then allow and show the Panel, else hide panel - so they cannot enter a review
// if (TrueOrFalse == 0/false)
// {
//is someone logged in?
if (Session["UserID"] != null)
{
//if someone is logged in, and they are visiting
if (Session["UserID"].ToString().Equals(Request.QueryString["id"]))
{
PanelUserRating.Visible = true;
}
else
{
PanelUserRating.Visible = false;
}
I see you only populate the SelectCommand property by you never executed the select command. You can use Select method to execute it and get the result back.
IEnumerable result = _objDS2.Select(new DataSourceSelectArguments());
Follow this link for proper implementation:
here
I create an application using c# , In my authentification interface , i have a test control , i want to know profile user .
My database contains table named user which contains 4 columns
(id_user,name ,mail, profile)
Here is my code
public string profil_user(string login)
{
SqlConnection conn = new database().connect_user();
SqlCommand cmd = conn.CreateCommand();
cmd.CommandText = "select profile from user where name = '" + login + "';";
SqlDataReader s = cmd.ExecuteReader();
if (s.Read())
{
return ( s.GetString(3));
}
else{return ("false"); }
}
but i have an exception in s.GetString(3)
system.IndexOutOfRange : index was outside the bounds of the array
You're only selecting a single field (profile) but then you're trying to select the 4th field (index 3) here:
return ( s.GetString(3));
In addition to just returning s.GetString(0) I would strongly advise you to:
Use parameterized SQL - always do this, to prevent SQL injection attacks, make your code more readable, and prevent unexpected text conversion problems
Either throw an exception or return null if the profile isn't found, instead of returning the string "false"
Use using statements for disposable things like SqlCommand, SqlConnection and SqlDataReader to ensure that you clean up resources appropriately
Start following .NET naming conventions to make your code more idiomatic
So something like:
public string GetUserProfile(string login)
{
string sql = select profile from user where name = #login";
// I assume Connect() returns an *open* connection?
using (var conn = new Database().Connect())
{
using (var command = new SqlCommand(sql, conn))
{
command.Parameters.Add("#login", SqlDbType.NVarChar).Value = login;
using (var reader = command.ExecuteReader())
{
// If it's an error (code failure) for there to be no matching profile,
// you may want to throw an exception instead.
return s.Read() ? s.GetString(0) : null;
}
}
}
}
So you want the fourth row, not the fourth column which you try to access with s.GetString(3):
int rowNum = 0;
while(s.Read())
{
if(++rowNum == 4)
{
return s.GetString(0);
}
}
return "false";
However, it is a bit strange to access the fourth row when you don't use an Order By. You should also only return the row that you want with the correct sql query.
You are also open for sql injection if you use string concatenation here:
cmd.CommandText = "select profile from user where name = '" + login + "';";
Use sql parameters:
cmd.CommandText = "select profile from user where name = #login";
cmd.Parameters.Add("#login", SqlDbType.VarChar).Value = login;
have 4 columns not rows
Ok, so you instead want the fourth column. Why don't you use the name instead?
Since you only select the profile-column(the fourth), you could simply use GetString(0). But you could also select all columns and then determine the correct index with GetOrdinal:
int profileColumnIndex = s.GetOrdinal("profile");
return s.GetString(profileColumnIndex);
This is useful if you don't control the query or it might be changed in future.
You are selecting only 1 field, thus index 3 is out of bounds. It also very important to Use parameters. Try:
cmd.CommandText = "select profile from user where name = #login;";
cmd.Parameters.Add("#login, SqlDbType.NVarChar).Value = login;
SqlDataReader s = cmd.ExecuteReader();
while (s.Read())
{
return s[0].ToString();
}
The parameter for SqlDataReader.GetString should be the column index. You're only selecting one column so you get an exception.
Because you do not have all the fields in your select list
Change the SQL to:
select id_user,name ,mail, profile from user where name = '" + login + "';
i have the following table in MySql :
ID Name
1 Google
2 Yahoo
3 Facebook
4 Whatever
I have a textfield that when someone writes something and presses a button it stores this value in a string. This string is the Name of the above table. Then i have my code about selecting the id referred to that name. Ex, if the user enters Facebook i will find that the ID = 3. this is the code :
public bool FindCompanyID(string companyName)
{
return ExecQuery("select id from companies where name=#name",
cmd =>
{
cmd.CommandText = "SELECT id from companies WHERE name ='" + companyName + "'";
return cmd;
});
}
I want someone to show me a sample of code about the following : Saving to a string the " id " . if the ID in the database = 2 i want to make a
int Company_Number_ID
that i will use. How can i get the string to read the specified value from the database?
I am guessing your return type is bool to check whether the DDL statements were executed successfully.
MySqlCommand cmd = dbConn.CreateCommand();
cmd.CommandText = "SELECT id from companies WHERE name ='" + companyName + "'";
try
{
dbConn.Open();
Company_Number_ID = (Int32)cmd.ExecuteScalar();
} catch (Exception e) {
//Exception occured. Handle it here
}
Note: cmd.Parameters.AddWithValue("#companyName",companyName).
this is more secure
Edit: As pointed out in the comment by user3185569 , ExecuteScalar is better if you are sure it'll return only one row. But since no such information was provided. I did not consider that.
You can use ExecuteScalar directly like this.
Company_Number_ID = (Int32)cmd.ExecuteScalar();
I am trying to delete entries by ID. I want to notify user that ID they try to delete doesn't exist. It doesn't create any problems, but I want to make everything clear.
How to do that? Do I have to use SQL string to do so?
I am using MS Access 2007 and this is how I delete item:
string SQL = "DELETE FROM PersonalData WHERE DataID = " + txtEntryID.Text;
private void DeleteData(string SQL)
{
// Creating an object allowing me connecting to the database.
// Using parameters in command will avoid attempts of SQL injection.
OleDbConnection objOleDbConnection = new OleDbConnection();
// Creating command object.
objOleDbConnection.ConnectionString =
"Provider=Microsoft.ACE.OLEDB.12.0;" +
"Data Source=" + filePath + ";" +
"Persist Security Info=False;" +
"Jet OLEDB:Database Password=" + pass + ";";
OleDbCommand objOleDbCommand = new OleDbCommand();
objOleDbCommand.CommandText = SQL;
// Assigning a connection string to the command.
objOleDbCommand.Connection = objOleDbConnection;
try
{
// Open database connection.
objOleDbConnection.Open();
objOleDbCommand.ExecuteNonQuery();
}
catch (Exception ex)
{
// Displaying any errors that
// might have occured.
MessageBox.Show("Error: " + ex.Message);
}
finally
{
// Close the database connection.
objOleDbConnection.Close();
}
// Refreshing state of main window.
mainWindow.DisplayFileContent(filePath);
MessageBox.Show("Data was successfully deleted.");
// Clearing text box field.
txtEntryID.Clear();
}
In VBA code, you could use the DCount() function.
You can also just delete the records with a SQL statement and inform the user after the fact; from the user's point of view there's no difference:
Dim id As Long
id = GetAnIdFromTheUser()
With CurrentDb
Do
.Execute "DELETE FROM [TableName] WHERE ID = " & id
If .RecordsAffected > 0 Then
Goto Done
End If
MsgBox "That ID doesn't exist; please try another."
id = GetAnIdFromTheUser()
Loop
Done:
.Close
End With
EDIT:
In ADO.NET you can follow the same approach by examining the return value of ExecuteNonQuery. For example, you could declare your function as bool TryDeleteData(string SQL) and do something like
...
if (objOleDbCommand.ExecuteNonQuery() == 0)
return false;
...
You could use the DCount function of VBA:
DCount("*", "SomeTable", "ID = 1")
If this is 0 then you know the record doesn't exist and can inform the user.
Your question isn't clear enough, so I'm guessing that what you'd like to do is execute the DELETE query and then return whether records were deleted or not. If that's what you want to do you could do it like this:
DECLARE #deletedID AS INT
SELECT #deletedID = id FROM your_table WHERE id = <the id supplied by user>
DELETE FROM your_table
WHERE your_table.id = <the id supplied by user>
RETURN #deletedID
If the requested ID does not exist this will return NULL
EDIT
Based on the clarification in your comments, the following query should work just fine:
SELECT COUNT(DataId) as Cnt
FROM PersonalData WHERE DataId = <user_specified_id>
This query will produce a single column, single row result set (i.e. a scalar-value). The value is going to be either 1 or 0 (assuming only one entry may have the same id). If the count is 0 the entry does not exist.
P.S.
The way you are executing the query you're opening yourself to SQL injection attacks. Basically, someone could give you the following DataID: 0 OR 1 = 1 and guess what's going to happen - all the PersonalData records will be deleted!
A much better approach would be to use prepared statements. Or at the very least, make absolute sure that you sanitize and validate the user input before concatenating it into the query text.