Hi to all friends out there. I am unable to find mistake in this code. In this code i want to verify whether user name and password exit in database or not. if yes than it shows success message box.


Dim ds As DataSet
Dim da As SqlDataAdapter
Dim con As SqlConnection
Dim str As String
con = New SqlConnection("initial catalog=abc;data source=SQLSVR;user id=sa;password=xyz")
ds = New DataSet

str = " select username,password from login_form where (username=' " & TextBox1.Text & " ' and password = '" & TextBox2.Text & " ') "
da = New SqlDataAdapter(str, con)
da.Fill(ds, "login_form")
If ds.Tables("login_form").Rows.Count = 1 Then
MsgBox("successfull login")
Else
MsgBox("please check your username/password ")


when i am checking by breakpoint it shows that ds.tables.rows.... count is returning value 0. But in database those username and password exist.

please tell me where i am wrong.

Thank you in advance.

You have SPACES between your apostrophes and the values they surround. I will show you by changing your spaces to @ characters:
So if the user enters tha username "joe" you will be searching for a username of '[space]joe[space]' and not surpringly you don't find any matches.

I should note that this is inherently a bad way to do this. You are
(a) setting yourself up for SQL injection attacks and
(b) not able to hanle a user name such as O'Brien

thank you allot my friend.

from sql injection i think that can be avoided by using store procedure right but how i handle other thing mean o'johns like name like as you said.

Actually, it's the same answer to handle O'Brien and avoid SQL Injection.

(1) Use a stored procedure and parameters. Fixes both problems.

(2) Use your existing code, but create the string for the SQL thus:
You just convert every apostrophe you find into a pair of apostrophes. With a simple query like that, you have fixed both problems.

Thanks allot for your reply and making thing much more clear..