about try catch statement

N

ng kiat

i have been doing this for awhile and i can't get it through.i am doind
a password login using database get password from ms access then i am
able to log in. but when i run this my catch did not run when it finish
with try it will end by itself. this is my code.

protected void btnLogin_Click( object sender, EventArgs e)
{
OleDbConnection conn5;
try
{
string strConn5 =
(string)System.Configuration.ConfigurationManager.AppSettings["Connectio
nString"];
string strLogin = "SELECT * FROM Pass WHERE Login = ('" +
txtLogin.Text + "') AND Password = ('" + txtPassword.Text + "')";
conn5 = new OleDbConnection(strConn5);
OleDbCommand cmd5 = new OleDbCommand(strLogin, conn5);
OleDbDataReader reader;
conn5.Open();
reader = cmd5.ExecuteReader();

while (reader.Read())
{
AdminMultiview.SetActiveView(AdminMainPage);
}
reader.Close();
conn5.Close();

}
catch (Exception ex)
{
lblWrong.Text = "Please check your Login ID and Password again.
";
lblWrong.Text += ex.Message;
}
}

anybody can help me
 
P

Peter Duniho

i have been doing this for awhile and i can't get it through.i am doind
a password login using database get password from ms access then i am
able to log in. but when i run this my catch did not run when it finish
with try it will end by itself. this is my code.
Click to expand...

Are you getting an exception? If not, then you would not see the code in
your catch clause execute. That's only there for if and when an exception
is thrown.

If you are getting an exception, where are you getting it and why are you
sure you're getting an exception?

Finally (no pun intended), you have a bug in that you've got
closeable/disposable objects that won't get closed/disposed in the event
of an exception. You can use the "using" statement to ensure that they
are properly cleaned up.

Pete
 
M

Michael C

ng kiat said:
string strLogin = "SELECT * FROM Pass WHERE Login = ('" +
txtLogin.Text + "') AND Password = ('" + txtPassword.Text + "')";
Click to expand...

This sort of thing makes your site very hackable by the not very advanced
hackers. What happens if they enter a password like this:

'; DELETE FROM Pass; SELECT '

You might be lucky with access but with sqlserver this would give you lots
of trouble.
 
B

Ben Voigt [C++ MVP]

Michael said:
This sort of thing makes your site very hackable by the not very
advanced hackers. What happens if they enter a password like this:

'; DELETE FROM Pass; SELECT '
Click to expand...

It would need to be

'); DELETE FROM Pass; --

Or some other examples

'); DROP TABLE Pass; --
'); UPDATE Pass SET Password = ('
 
A

Alun Harford

ng said:
i have been doing this for awhile and i can't get it through.i am doind
a password login using database get password from ms access then i am
able to log in. but when i run this my catch did not run when it finish
with try it will end by itself. this is my code.

protected void btnLogin_Click( object sender, EventArgs e)
{
OleDbConnection conn5;
try
{
string strConn5 =
(string)System.Configuration.ConfigurationManager.AppSettings["Connectio
nString"];
string strLogin = "SELECT * FROM Pass WHERE Login = ('" +
txtLogin.Text + "') AND Password = ('" + txtPassword.Text + "')";
Click to expand...

Well my login is: Robert') OR 1=1; --

http://xkcd.com/327/

Alun Harford
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Try Catch Finally Using 4
Combobox display and value member 3
Program ms index server with c# 1
OleDbDataReader ???? 1
Closing DataReader inside of Try{}Catch{} 4
beginners problems with controls and classes 4
Convert VB to C# for reading an image from Access DB 3
OleDbDataReader as parameter 6

Top