Syntax Error with Database Login System

Question

Created a website login system but when I run it it keeps coming up with this error to the particular bit of coding below. Can someone PLEASE help me with this Error message on

Answer 1

That happens because USER is a reserved keyword. To refer to it in your queries you need to encapsulate the word between square brackets

 string query = string.Format("SELECT COUNT(*) FROM [user] WHERE name = .....

but at this point, why in subsequent queries you use the name users? It is just a typo in the first query or in the next?

However, you should also keep in mind that string formatting your queries in that way is very bad.
You are at risk of Sql Injections and, if a single quote appears in your text values, the whole query will resul in an invalid syntax

As an example of a parameterized query to replace your query

 string query = "SELECT COUNT(*) FROM [user] WHERE name = @name",
 command.CommandText = query;
 command.Parameters.AddWithValue("@name",login);
 int amountOfUsers = (Convert.ToInt32(command.ExecuteScalar());
 if(amountOfUsers > 0)
 {
    .....
 }

Then the next problem is the password retrieved from the database and compared with the user input. Having this kind of code means the password is stored in clear text inside the database. A clear security risk. You should store passwords in an encrypted form. When you need to check the user credentials you apply the same crypting algorithm to the user input and checks against the password in the database.

You could do this in a single operation

 string cryptPwd = EncryptPassword(password);
 string query = "SELECT COUNT(*) FROM [user] WHERE name = @name and password = @cryptpwd",
 ....