Having problems with a login form in VB.NET - mysql

Ok so this is part of the program i am working on in vb.net what it should do is go into my MYSQL database and check to see what the user entered match's with the username/password in the database(simple login) but it is not working, it is stopping at the first if statement, i dont know why, but it goes down to the catch every time. i put in messagesbox's every other line to fine the problem so i know something is wrong with the if statements
Dim rdr As MySqlDataReader = Nothing
Myconnection = "Server=LocalHost; database=vb; user=root; password=tro63jans; "
db_con.ConnectionString = Myconnection
Dim cmd As New MySqlCommand("SELECT * FROM login", db_con)
Try
db_con.Open()
rdr = cmd.ExecuteReader()
Dim found As Boolean = False
While rdr.Read()
If username.ToUpper() = DirectCast(rdr("username"), String) Then
If password = DirectCast(rdr("password"), String) Then
found = True
MessageBox.Show("you are log in")
Exit While
Else
MessageBox.Show("username and password do not match", "Error")
txtpassword.Focus()
End If
If found Then
MessageBox.Show("user name not found", "error")
txtusername.Focus()
txtpassword.Focus()
Exit While
End If
Else
If found Then
MessageBox.Show("User name not found", "error")
txtusername.Focus()
End If
End If
End While

Related

Unknown database 'database'

I am trying to make a secure login for my database, using a MySQL database.
Private Sub logIn_Click(sender As Object, e As EventArgs) Handles logIn.Click
MysqlConn = New MySqlConnection
MysqlConn.ConnectionString =
"server=localhost;userid=root;password=Catawba;database=catawbapartnership"
Dim READER As MySqlDataReader
Try
MysqlConn.Open()
Dim Query As String
Query = "select * from database.admininfo where admin_username= ' " & TB_UN.Text & " ' and admin_password= ' " & TB_PD.Text & " '"
COMMAND = New MySqlCommand(Query, MysqlConn)
READER = COMMAND.ExecuteReader
Dim count As Integer
count = 0
While READER.Read
count = count + 1
End While
If count = 1 Then
MessageBox.Show("Username and Password Accepted")
ElseIf count > 1 Then
MessageBox.Show("Username and Password Are Incorrect")
Else
MessageBox.Show("Username and Password Are Incorrect")
End If
MysqlConn.Close()
Catch ex As MySqlException
MessageBox.Show(ex.Message)
Finally
MysqlConn.Dispose()
End Try`
This is the code, but I keep getting the error of Unknown database'database'
In MySQL Workbench, the entire database is named catawbapartnership
And the table I need to get info from is called admininfo
But, it keep saying I have entered it incorrectly. Please help!
Remove database. from your code. As a default database is in the connection you don't need to specify it in the question.
Please copy your implementation from somewhere else. This has SQL injection vulnerabilities and you should never store plain text passwords.
OWASP has a lot of guidance on being a responsible programmer.

vb.net : DPFP.Error.SDKException: Verification Failure

I am having a problem with my fingerprint verification using vb.net 2010. I am not sure if what makes the error every time i verify the template from my mysql database. Below is the error message. I am using digital persona u.are.u 4000b as my fingerprint scanner.
and this is my code for verification:
DrawPicture(ConvertSampleToBitmap(Sample))
Dim features As DPFP.FeatureSet = ExtractFeatures(Sample, DPFP.Processing.DataPurpose.Verification)
conn.Open()
cmd.Connection = conn
cmd.CommandText = "Select * from emp_t"
dr = cmd.ExecuteReader
If dr.HasRows Then
While dr.Read()
Dim MemStream As IO.MemoryStream
Dim fpBytes As Byte()
fpBytes = dr(2)
MemStream = New IO.MemoryStream(fpBytes)
Dim templa8 As DPFP.Template = New DPFP.Template()
templa8.DeSerialize(MemStream)
Me.Template = templa8
' Check quality of the sample and start verification if it's good
If Not features Is Nothing Then
' Compare the feature set with our template
Dim result As DPFP.Verification.Verification.Result = New DPFP.Verification.Verification.Result()
Try
Verificator.Verify(features, templa8, result)
Catch ex As Exception
MsgBox(ex.ToString)
End Try
If result.Verified Then
MessageBox.Show("Verified")
Exit Sub
Else
MessageBox.Show("The fingerprint was NOT VERIFIED!")
End If
Else
MessageBox.Show("Fingerprint sample is not established!")
End If
End While
Else
MessageBox.Show("No record found!")
End If
conn.Close()
I been struggling for months in searching for the solution on my problem. To anyone who can share there thoughts and extends help will be much much appreciated... Thank you...

Invalid attempt to access a field before calling Read() vb.NET and MySQL

I receive this error every time I try log in with incorrect details which should show a message-box "invalid username..." and when no details are entered it should show "please enter...
conn = New MySqlConnection
conn.ConnectionString = "server=localhost; userid=root; password=...; database=..."
Dim reader As MySqlDataReader
Try
conn.Open()
Dim Query As String
Query = "SELECT Username, Password, Admin FROM appointments.tblLogin WHERE Username='" & TextBox_Username.Text & "' AND Password='" & TextBox_Password.Text & "' "
cmd = New MySqlCommand(Query, conn)
reader = cmd.ExecuteReader
Dim count As Integer
count = 0
While reader.Read
count = count + 1
End While
If reader.GetInt32("Admin") = 1 Then
AdminMainMenu.Show()
Me.Hide()
ElseIf reader.GetInt32("Admin") = 0 Then
MainMenu.Show()
Me.Hide()
Else
MessageBox.Show("Invalid username or password")
End If
If TextBox_Username.Text.Equals("") And TextBox_Password.Text.Equals("") Then
MessageBox.Show("Please enter a username and password")
End If
conn.Close()
Catch ex As MySqlException
MessageBox.Show(ex.GetBaseException.ToString)
Finally
conn.Dispose()
End Try
The MySqlDataReader can move forward-only, once it reaches the end of the rows retrieved by the command, it cannot go back to read previous rows.
The loop used to count the number of rows moves the reader to the end of the data stream. So trying to read the Admin field result in an exception.
If TextBox_Username.Text.Equals("") And _
TextBox_Password.Text.Equals("") Then
MessageBox.Show("Please enter a username and password")
Return
End If
.... opening and executing the command code....
If reader.Read Then
Dim isAdmin = (reader.GetInt32("Admin") = 1)
If isAdmin Then
AdminMainMenu.Show()
Me.Hide()
Else Then
MainMenu.Show()
Me.Hide()
End If
Else
MessageBox.Show("Invalid username or password")
End If
conn.Close()
Notice that I have removed the loop and used a simple if/else statement around the Read method to display the error message and I have changed the reading of the Admin flag creating a boolean variable to simplify the logic inside the true part of the if block.
Said that, you need to look at how build parameterized queries because your string concatenation to build the commandtext exposes your program to Sql Injection Attacks (not to mention syntax errors if some of your textbox contains a single quote, try it...)
Consider also that from a security standpoint you should never store passwords in the database in clear text. Use always an hash of the password

String from Database set as public string

Ok from the answer from the previous question the reasoning still applies here but this time A different issue. There is a login system (Loginvb.vb) that I got for the launcher I was creating and was wondering 2 things:
Is there a better way to do the Login check with the database (as in
more secure) (the login style will have a web based registration
setting via PHP script)?
Is there a way to take a certain column (labled as access) in the database and put it
as a public string so I can check if it will equal 1 2 or 3 in a
different form labeled as Main.vb
Here is the current login check:
Public Sub login_Click(sender As Object, e As EventArgs) Handles login.Click
If txtuserName.Text = "" Or txtpassWord.Text = "" Then
MsgBox("You cannot progress until you login....(moron =p)")
Else
'Connects To the Database
Dim connect As MySqlConnection
connect = New MySqlConnection()
connect.ConnectionString = "server=127.0.0.1;user id=sc;Password=derp;database=sclaunch" 'not the actual login ;)
Try
connect.Open()
Catch myerror As MySqlException
MsgBox("Error Connecting to Database. Please Try again !")
End Try
'SQL Query To Get The Details
Dim myAdapter As New MySqlDataAdapter
Dim sqlquerry = "Select * From login where username = '" + txtuserName.Text + "' And password= '" + txtpassWord.Text + "'"
Dim myCommand As New MySqlCommand()
'My fail attempt at what I am trying to do :(
Dim sql22 As MySqlConnection
sql22 = New MySqlConnection()
sql22.ConnectionString = "Select * From login where access ="
'End of fail attempt
myCommand.Connection = connect
myCommand.CommandText = sqlquerry
'Starting The Query
myAdapter.SelectCommand = myCommand
Dim mydata As MySqlDataReader
mydata = myCommand.ExecuteReader
'To check the Username and password and to validate the login
If mydata.HasRows = 0 Then
MsgBox("Invalid Login")
Else
'fail testing xD
Label3.Text = sql22
MsgBox("You are now Loged In!")
End If
End If
End Sub
Still basically learning more and more as I am coding all this got to love trial and error and the moments where you get stuck =/ (Sorry to the admins or whatever for fixing tag issues still new to the site xD)
Assuming that the same table login that contains the credentials contains also the access column that you want to retrieve, then I have changed a lot of your code
Dim sqlquerry = "Select * From login where username = #name AND password=#pwd"
Dim myCommand As New MySqlCommand(sqlquery, connect)
myCommand.Parameters.AddWithValue("#name", txtuserName.Text)
myCommand.Parameters.AddWithValue("#pwd", txtpassWord.Text)
Dim mydata = myCommand.ExecuteReader
If mydata.HasRows = False Then
MsgBox("Invalid Login")
Else
' the same record that contains the credentials contains the access field'
mydata.Read()
Label3.Text = mydata("access").ToString()
MsgBox("You are now Loged In!")
End If
What I have changed:
Removed the string concatenation and added the appropriate parameters
Removed myAdapter and every references to it (not needed, you don't
fill DataTable/DataSet)
Removed sql22 and every references to it. It's a Connection and you
try to use like a Command
Fixed the check on HasRows (Returns a boolean not an integer. Are you
using Option Strict Off?)

Hashing passwords for a login form in vb.net

I have a Login form, I haven't done anything about hashing the password yet, I have been reading about hash here and there yet it really confuses me and don't really know how to implement it in my code for the login form.
Code for hashing I saw
Dim bytes() as byte = System.Text.Encoding.UTF8.GetBytes(stringPassword);
dim hashOfBytes() as byte = new System.Security.Cryptography.SHA1Managed().ComputeHash(bytes)
Dim strHash as string = Convert.ToBase64String(hashOfBytes)
Convert back to bytes
hashOfBytes = Convert.FromBase64String(strHash)
** My Login Form Code**
Using conn As New MySqlConnection("Server = localhost; Username= root; Password =; Database = forms")
Using cmd
With cmd
MsgBox("Connection Established")
.Connection = conn
.Parameters.Clear()
.CommandText = "SELECT * FROM users WHERE BINARY Username = #iUsername AND Password = #iPassword"
.Parameters.Add(New MySqlParameter("#iUsername", txtUser.Text))
.Parameters.Add(New MySqlParameter("#iPassword", txtPass.Text))
End With
Try
conn.Open()
dr = cmd.ExecuteReader()
Catch ex As MySqlException
MsgBox(ex.Message.ToString())
End Try
End Using
End Using
If dr.HasRows = 0 Then
MsgBox("Invalid user")
Conn.Close()
Else
Start.Show()
Conn.Close()
End If
End Sub
You should store the hash value of the password in the Password field of your table.
Then you search for user and the password hash, not directly for the password taken from the input box.
However, your code will still fail because you try to use the MySqlDataReader after the disposing of the connection. Move the check for rows inside the Using block
Dim strHash as string = Convert.ToBase64String(hashOfBytes)
.....
Dim userIsValid as Boolean = False
Using conn As New MySqlConnection(.........)
Using cmd
....
.Parameters.Add(New MySqlParameter("#iPassword", strHashPass))
Try
conn.Open()
dr = cmd.ExecuteReader()
userIsValid = dr.HasRows
Catch ex As MySqlException
MsgBox(ex.Message.ToString())
End Try
End Using
End Using
if userIsValid then
.....
else
.....
End