Can I use Environment.Username and MYSQL to verify log in?

Question

        private void btnSubmitt_Click(object sender, RoutedEventArgs e)
        {
        try
        {
            i = 0;
            MySqlCommand cmd = con.CreateCommand();
            cmd.CommandType = CommandType.Text;
            cmd.CommandText = "Select * from users where  TX_EMPLOYEE='"; (Environment.UserName) & "'";
            DataTable dt = new DataTable();
            MySqlDataAdapter da = new MySqlDataAdapter(cmd);
            da.Fill(dt);

            i = Convert.ToInt32(dt.Rows.Count.ToString());
        }
        catch
        {
            MessageBox.Show("Database connection is not available at this time. Please contact your database administrator ");
        }
        finally
        {
            con.Close();
        }

I would like to authenticate the user with their computer login name and the exact match that is listed in the MYSQL data table. However Environment.Username is not a valid syntax in this SQL statement.

Answer 1

This line is very very wrong:

cmd.CommandText = "Select * from users where  TX_EMPLOYEE='"; (Environment.UserName) & "'";

It should be this:

cmd.CommandText = "Select * from users where  TX_EMPLOYEE='" + Environment.UserName + "'";

Except, it shouldn't be like that because of SQL injection. If I could make Environment.UserName into ' or 1 = 1 or TX_EMPLOYEE = ' then your final query would become this:

Select * from users where  TX_EMPLOYEE='' or 1 = 1 or TX_EMPLOYEE = ''

Which clearly isn't what you want - somebody with no credentials being able to access this. You should instead use SQL parameters:

cmd.CommandText = "Select * from users where  TX_EMPLOYEE=?userName";
cmd.Parameters.AddWithValue("?userName", Environment.UserName);

On a separate note, I'm confused by this code:

i = Convert.ToInt32(dt.Rows.Count.ToString());

DataTable.Rows.Count is already an int , so you're converting a number to a string to a number. Why?