Error when trying to implement login script for visual basic application in visual studio 2015

Question

Hi I'm sure this is an extremely simple issue to fix but i'm completely new to this and just following a tutorial online but i can't adapt the code for my uses. Basically i keep getting the following error when i try to use nvarchar instead of int for my username and password columns in my database:

An unhandled exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll

here is my code:

Public Class Login
    Private Sub btnLogin_Click(sender As Object, e As EventArgs) Handles btnLogin.Click
        Dim con As New SqlClient.SqlConnection(MyConnection.MyConnectionString)
        con.Open()
        Dim dr As SqlClient.SqlDataReader
        Dim cmd As New SqlClient.SqlCommand("select * from [customer_login] where username=" + tbUsename.Text + " and password=" + tbPassword.Text + "", con)
        dr = cmd.ExecuteReader
        If dr.Read Then
            MsgBox("you are logged on as" + tbUsename.Text + "put logged in home page here")
        End If

    End Sub
End Class

edit: full error message is:

An unhandled exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll

Additional information: Invalid column name 'a123'.

Invalid column name 'a123'.

share the complete error please – Nouman Bhatti Jul 12 '16 at 00:35 — Nouman Bhatti, Jul 12 '16 at 00:35
We need the inner exception – Glenn Ferrie Jul 12 '16 at 00:37 — Glenn Ferrie, Jul 12 '16 at 00:37

Anon Coward · Answer 1 · 2016-07-12T00:55:51.357

The code you have generates the following SQL:

select * from [customer_login] where username=user and password=pass

Where user and pass are the values entered in the text boxes. That is not valid SQL, the values need to be quoted strings. Or even better, they should be named parameters to prevent a class of attacks called SQL injection, or just simply to prevent problems when a user has an apostrophe in name and your SQL statement built at run-time has an error in it as a result.

In the future, you should use a Try .. Catch block to catch the exception and look at the contents of the exception in the debugger. In this case, it would have quickly showed the error in your SQL statement.

score 0 · Accepted Answer · answered Jul 12 '16 at 00:38

0

single quotes are missing in your query

Public Class Login
    Private Sub btnLogin_Click(sender As Object, e As EventArgs) Handles btnLogin.Click
        Dim con As New SqlClient.SqlConnection(MyConnection.MyConnectionString)
        con.Open()
        Dim dr As SqlClient.SqlDataReader
        Dim cmd As New SqlClient.SqlCommand("select * from [customer_login] where username='" + tbUsename.Text + "' and password='" + tbPassword.Text + "'", con)
        dr = cmd.ExecuteReader
        If dr.Read Then
            MsgBox("you are logged on as" + tbUsename.Text)
            'put logged in home page here.show()
        End If

    End Sub
End Class

answered Jul 12 '16 at 00:38

Nouman Bhatti

1,341
6
28
54

I knew it would be a simple fix, thanks for your help! I will accept your answer as soon as i can! – Josh Strachan Jul 12 '16 at 00:42
That code is vulnerable to [SQL Injection](http://stackoverflow.com/questions/332365/). Please [use parameters](http://stackoverflow.com/questions/3156151/). – Dour High Arch Jul 12 '16 at 00:47

Error when trying to implement login script for visual basic application in visual studio 2015

2 Answers2