Geek asks and answers

Unknown column in the where section of a C # application

I am trying to develop a C # application where I want to have a login form connected to a remote server. I connected to the server, but when I try to log in, the line: MySqlDataReader reader = cmd.ExecuteReader (); gives me an error: Unknown "admin" column in where clauseDo you have any ideas where the problem might come from? Here is my code:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using MySql.Data.MySqlClient;

namespace ECBSRecruitmentAgencySoftware
{
    public partial class LogIn : Form
    {
        public LogIn()
        {
            InitializeComponent();
        }  

        public bool tryLogin(string username , string password)
        {
             MySqlConnection con = new MySqlConnection("host=aaaaaaaa.baaadsg;user=saaaaaak;password=2333333336;database=soaaaaaaaa2;");
             MySqlCommand cmd = new MySqlCommand("Select * FROM niki WHERE user_name = `" + username + "` AND user_password = `" + password + "`;");
             cmd.Connection = con;
             con.Open();
             MySqlDataReader reader = cmd.ExecuteReader();
             if (reader.Read() != false)
             {
                 if (reader.IsDBNull(0) == true)
                 {
                     cmd.Connection.Close();
                     reader.Dispose();
                     cmd.Dispose();
                     return false;
                 }
                 else
                 {
                     cmd.Connection.Close();
                     reader.Dispose();
                     cmd.Dispose();
                     return true;
                  }
             }
             else 
             {
                 return false;
             }
        }

        private void button1_Click(object sender, EventArgs e)
        {
            if (tryLogin(user.Text, pass.Text) == true)
            {
                MainScreen F2 = new MainScreen();
                F2.Show();
                this.Hide();
            }            
            else 
                MessageBox.Show("Wrong details!");             
        } 
    }
 }
+3
source share
3 answers

In a query string using 'instead of (`)

Select * FROM niki WHERE user_name = '" + username + "' AND user_password = '" + password + "'
+3
source

Try the following:

MySqlCommand cmd = new MySqlCommand("Select * FROM niki WHERE user_name = '" + username + "' AND user_password = '" + password + "'");

` , . . tbl.`from` "from", SQL FROM.

"admin", MySQL , "admin", "admin" . , , , , "admin" !:)

+3

Use named parameters instead of your solution:

MySqlCommand cmd = new MySqlCommand("Select * FROM niki WHERE user_name = @username AND user_password = @password");
cmd.Parameters.AddWithValue("@username", username);
cmd.Parameters.AddWithValue("@password", password);

UPD: updated to AddWithValue as UnhandledException, said

+2
source

More articles:


All Articles