i have login form,i want to check username and password from database.when i give the Submit i am getting error that is "ExcuteReader:Connction Proprty has not been initialized"
What I have tried:
private void btnOK_Click(object sender, EventArgs e)
{
if (txtUserName.Text == "")
{
MessageBox.Show("Please enter user name", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
txtUserName.Focus();
return;
}
if (txtPassword.Text == "")
{
MessageBox.Show("Please enter password", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
txtPassword.Focus();
return;
}
try
{
SqlConnection con = new SqlConnection("Data Source=ADMIN;Initial Catalog=SIS;Persist Security Info=True;User ID=sa;Password=admin@123");
SqlCommand cmd=new SqlCommand("Select Username,User_Password from User_TB where username='"+txtUserName.Text+"' and password='"+txtPassword+"'");
SqlDataReader dr=cmd.ExecuteReader();
if(dr.Read()==true)
{
int i;
ProgressBar1.Visible = true;
ProgressBar1.Maximum = 5000;
ProgressBar1.Minimum = 0;
ProgressBar1.Value = 4;
ProgressBar1.Step = 1;
for (i = 0; i <= 5000; i++)
{
ProgressBar1.PerformStep();
}
this.Hide();
frmMainMenu frm = new frmMainMenu();
frm.Show();
frm.lblUser.Text = txtUserName.Text;
}
解决方案The number of things wrong with this... :sigh:
Let's start with the ones you don't know about!
1) Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead. This is really important at all times, but for a login form it's absolutely vital, as it means the user doesn't even have to be logged in to destroy your database...he can do it by typing in the "username" textbox!
2) Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^]
3) Never use the "sa" user in SQL: he has full permissions and is the default when SQL server is installed. So he is the first user anyone tries in order to steal or damage data. Set up a user which has just enough permission for your app to work, and use that instead. At the very minimum, change the damn password!
4) You will never see anything happen on your progress bar, because it's on the same thread - and it will only get displayed when the click event handler exits.
5) SqlConnection, SqlCommand, and so forth are scarce resources - you need to dispose of them properly when you are finished, or your app will crash when it runs out.
A using block is the best way as it disposes of teh resource when teh object goes out of scope.
Now the one you noticed!
Look at the error message:
ExcuteReader:Connction Proprty has not been initialized
Now look at your code:
SqlConnection con = new SqlConnection("...");
SqlCommand cmd=new SqlCommand("Select ...");
SqlDataReader dr=cmd.ExecuteReader();
You don't pass the SqlConnection to the SqlCommand!
Try:
using (SqlCommand cmd=new SqlCommand("Select ...", con))
{
...
}And one other thing: Open the connection before you try to use it!
扫一扫
9712
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
