c# - Exception: System.InvalidOperationException Trying to validate a login information -

i trying create login form. having problems database. have created windows form consists of user name , password, , login button. think statement :

dataadapterobject.fill(datatableobject)  

has error. using visual studio profesional 2013 update 4 , sql server 2014 enterprise editon.

the code follows :

using system; using system.collections.generic; using system.componentmodel; using system.data; using system.data.sqlclient; using system.drawing; using system.linq; using system.text; using system.threading.tasks; using system.windows.forms;  namespace society_accounting_software {  public partial class loginscreen : form {     sqlconnection databaseconnect = new sqlconnection();       public loginscreen()     {         sqlconnection databaseconnect = new sqlconnection();         databaseconnect.connectionstring = "data source=gaurav-pc;initial catalog=societyaccountingdatabase;integrated security=true";         initializecomponent();      }      private void label1_click(object sender, eventargs e)     {      }      private void form1_load(object sender, eventargs e)     {           sqlconnection databaseconnect = new sqlconnection("data source=gaurav-pc;initial catalog=societyaccountingdatabase;integrated security=true");          databaseconnect.open();      }     private void textbox1_textchanged(object sender, eventargs e)     {      }      private void label2_click(object sender, eventargs e)     {      }      private void textbox1_textchanged_1(object sender, eventargs e)     {      }      private void button1_click(object sender, eventargs e)     {         string querystring = "select userid,userpassword useraccounts userid='gaurav' ,  userpassword='test123'";         sqlconnection databaseconnect = new sqlconnection();         databaseconnect.connectionstring = "data source=gaurav-pc;initial catalog=societyaccountingdatabase;integrated security=true";         databaseconnect.open();         string username = usernametextbox.text;         string password = passwordtextbox.text;         sqlcommand sqlcommandobject = new sqlcommand("select userid,userpassword useraccounts userid='"+username+"' ,  userpassword='"+password+"'");         sqldataadapter dataadapterobject = new sqldataadapter(sqlcommandobject);         datatable datatableobject = new datatable();         dataadapterobject.fill(datatableobject);            if (datatableobject.rows.count > 0)         {             messagebox.show("login sucessful");             adminconsoleform adminconsole= new adminconsoleform();             this.hide();             adminconsole.show();          }         else         {             messagebox.show("invalid login name , password please try again!");          }          databaseconnect.close();             //adminconsoleform adminconsole= new adminconsoleform();         //this.hide();         //adminconsole.show();          } } } 

can 1 help?

wherever possible should using database connections so.

using(var connection = new sqlconnection(connectionstring)) {     connection.open();     //... } 

at moment randomly creating connections in various methods ontop of having connection field, pretty confusing.

you should not concatenating sql , should use parameterised queries

using(var connection= new sqlconnection(connectionstring)) {     connection.open();      var sql = @"select password users userid = @userid";      var command = new sqlcommand(sql, connection);     command.parameters.add("@userid", sqldbtype.varchar);     command.parameters["@userid"].value = username;      // .... } 

passwords should never stored plaintext , should not able query password 'directly'. simple method of securing passwords hash password random salt, storing salt along hash in database.

you don't need datatable should have single row returned , datareader enough in scenario.

using(var connection= new sqlconnection(connectionstring)) {     connection.open();      var sql = @"select password, salt users userid = @userid";      var command = new sqlcommand(sql, connection);     command.parameters.add("@userid", sqldbtype.varchar);     command.parameters["@userid"].value = username;      using(var reader = command.executereader())     {         if (reader.read())         {             var password = reader.getstring(0);             var salt = reader.getstring(1);              return checkpassword(password, salt, pwrdtextbox.text);         }          debug.writeline("the user {0} not exist", username);         return false;     } } 

i recommend reading through article salted password hashing - doing right on codeproject.