How can I get a username and password from my database in C#?

Question

I have the following code in my btn_click event:

Sqlconnection con = new Sqlconnection("server=.;database=bss;user id=ab;pwd=ab");
con.open();
SqlCommand cmd = new Sqlcommand("select * from login where username='" 
+ txt4name.Text + "' and pwd='" + txt4pwd.Text + "'", con);

SqlDataReader reader = cmd.execute Reader();

Where login is the table and username and pwd are its fields. After this code all the values are stored in the reader object. I want to store username and pwd in the separate variables.

How can I accomplish this?

Answer 1

You're running a huge risk of sql injection with that. Use SQL Parameters for values into SqlCommands.

Answer 2

string userName =  txt4name.Text;
string password =  txt4pwd.Text;

Is that really what you want? Just to get that data into variables?

Answer 3

In general, when accessing your DB, you should be using something similar to this instead to eliminate SQL injection vulnerabilities:

using (SqlCommand myCommand = new SqlCommand("SELECT * FROM USERS WHERE USERNAME=@username AND PASSWORD=HASHBYTES('SHA1', @password)", myConnection))
    {                    
        myCommand.Parameters.AddWithValue("@username", user);
        myCommand.Parameters.AddWithValue("@password", pass);

        myConnection.Open();
        SqlDataReader myReader = myCommand.ExecuteReader())
        ...................
    }

But more realistically to store credentials, you should be using something like the Membership system instead of rolling your own.

Answer 4

If you mean c# variables, and if you want to get them from db, just do this:

SqlDataReader reader = cmd.execute Reader();
if (reader.Read())
{
    string username = reader["username"];
    string pwd = reader["password"];
}

While you are at it, parameterize your query and prevent sql injection:

SqlCommand cmd = new Sqlcommand("select * from login where username=@username and pwd=@pwd", con);
cmd.Parameters.AddWithValue("@username", txt4name.Text);
cmd.Parameters.AddWithValue("@pwd", txt4pwd.Text);

Answer 5

Definitely heed the advice about SQL injection but here is the answer to your question:

String username;
String pwd;

int columnIndex = reader.GetOrdinal("username");

if (!dataReader.IsDBNull(columnIndex))
{
    username = dataReader.GetString(columnIndex);
}

columnIndex = reader.GetOrdinal("pwd");

if (!dataReader.IsDBNull(columnIndex))
{
    pwd = dataReader.GetString(columnIndex);
}

Answer 6

You really need to use parameterized SQL. There's an example here Furthermore, your question doesn't really make sense; you want the username and password in seperate variables? they already are seperate in your example. If you are unable to assign them to strings I suggest following some tutorials.

Answer 7

You can usually find basic usage examples on MSDN, like this one for SqlDataReader.

Answer 8

Another approach is to load the reader results into a DataTable like so:

DataTable Result = new DataTable();

Result.Load(reader);

If your login table only contains two columns (userName and password) that are unique you end up with Result containing only one row with the information. You can then get the column values from each column:

string userName = Result.Rows[0].Field<string>("userName");
string password = Result.Rows[0].Field<string>("pwd");