Connecting Visual Studio To SQL Server

[watchdog474]

I am creating a project for school. I basically have to develop a application for a fake company that will help them. I am making an application that will display the employee name, email, e.t.c. I have created the login screen and connected that to the sql server. I am completely lost on how after that login screen display my second data base in SQL that will show the employee information. Any help would be greatly appreciated. I have displayed my code below and deleted out the connection address just to be safe.

Code:

Imports System.Data
Imports System.Data.SqlClient
Public Class Form1
    Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
        Dim con As SqlConnection = New SqlConnection("")
        Dim Cmd As SqlCommand = New SqlCommand("select * from login where username='" + txtUser.Text + "' and password='" + txtPass.Text + "'", con)
        Dim sda As SqlDataAdapter = New SqlDataAdapter(Cmd)
        Dim dt As DataTable = New DataTable()
        sda.Fill(dt)
        If (dt.Rows.Count > 0) Then
            MessageBox.Show("login Success", "information", MessageBoxButtons.OK, MessageBoxIcon.Information)
        Else
            MessageBox.Show("Error", "information", MessageBoxButtons.OK, MessageBoxIcon.Information)
        End If
    End Sub

    Private Sub btnclear_Click(sender As Object, e As EventArgs) Handles btnclear.Click
        txtPass.Clear()
        txtUser.Clear()

    End Sub

    Private Sub btnexit_Click(sender As Object, e As EventArgs) Handles btnexit.Click
        Application.Exit()
    End Sub
End Class

[Shaggy Hiker]

Welcome to the forum. I edited your post to wrap the code in [CODE][/CODE] tags, which you can do by pressing the # button and pasting code between the tags.

As to the question, things from a database can be displayed in several different types of controls. Listboxes are best if you want to show a single field, while DataGridViews are generally used to show tables of data. There are many options beyond that, so it depends a lot on what you want to show.

However, there are a couple things to point out about the SQL you have written, though they are likely points that you may not have gotten to in a class.

1) It is better to use & rather than + to concatenate strings. Yes, in SQL you have to use +, and in C# you have to use +, but in VB it is better to use &, though + will work. The problem with + in VB is that, if you have Option Strict OFF, then the language might try to turn the strings into numbers and add them, or not. This can cause confusion. With &, the language has no freedom to interpret what you wrote, whereas with +, it could either add or concatenate, and the language may choose to do something other than what you want.

2) Concatenating user entered text directly into a SQL statement opens you up to SQL injection attacks. You aren't likely to encounter many of those at school (though the classic cartoon about SQL injection attacks IS based on a school), but it's something you should be aware of. You should be using parameters rather than concatenating the strings into the SQL. Parameters will clean up any malicious text. Concatenating text remains a remarkably common mistake, though, so it's best to learn it the right way up front.

[kareninstructor]

Best practices

Place database operations in a separate class

For SELECT statement, never use *, always specify only the columns needed.

In the following example, User class represents a user, in this case with only a few properties to match to data in the database table, add, remove, change as needed. Pass in a user name, if found data is returned, if not found Nothing is returned so in the calling code in your form assert the return value is not nothing.

Code:

Option Infer On

Public Class DataOperations

	Protected Shared ConnectionString As String = "TODO"

	Public Shared Function GetUser(ByVal userName As String) As User
		Dim user As New User()
		Using cn = New SqlConnection(ConnectionString)
			Using cmd = New SqlCommand With {.Connection = cn}
				cmd.CommandText = "select Id,JoinDate from login where username= @UserName"
				cmd.Parameters.Add("@UserLoginName", SqlDbType.NVarChar).Value = userName
				cn.Open()
				Dim reader = cmd.ExecuteReader()
				If reader.HasRows Then
					reader.Read()
					user.Id = reader.GetInt32(0)
					user.JoinDate = reader.GetDateTime(1)
					Return user
				Else
					Return Nothing
				End If
			End Using
		End Using
	End Function

End Class

Public Class User
	Public Property Id() As Integer
	Public Property UserLoginName() As String
	Public Property JoinDate() As DateTime
End Class

[Shaggy Hiker]

I wouldn't say 'never' when you use *. If you don't need all the columns, then certainly don't use it, but it appears that if you DO need ALL the columns, then there is no penalty for using *. If you do not need all the columns, then using * will move more data than you need, and that has a cost associated with it that you shouldn't pay if you don't need to. I used to think that SELECT * would be slightly slower than specifying the columns even if you DO need all of them, but that appears not to be the case.