Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: VB.NET
I get this error . in vb.net .. what is the wrong in my code ?
 
Dim dataset As New DataSet
        Dim adapter As New SqlClient.SqlDataAdapter
        Dim command As New SqlClient.SqlCommand
        Dim cmd = New SqlCommand
 
        Dim con As New SqlConnection
 
        Try
 
            con.Open()
            cmd.Connection = con
            con.ConnectionString = "Data Source=lotus-pc\sqlexpress; Initial Catalog=LawyerSystem; Integrated Security= true "
 
            cmd.CommandText = "SELECT * FROM [users] WHERE (username='" + TextBox1.Text + "')AND (password='" + TextBox2.Text + "' )   "
 
            ' cmd.Connection = con
            cmd.ExecuteNonQuery()
            adapter.SelectCommand = command
            '  adapter.SelectCommand.Connection = con
            adapter.Fill(dataset, "0")
            Dim count = dataset.Tables(0).Rows.Count
            If count > 0 Then
                HomePage.Show()
            Else
                MsgBox("uncorrect", MsgBoxStyle.Critical)
            End If
 

 
        Catch ex As Exception
            MessageBox.Show("Error while inserting record on table..." & ex.Message, "Insert Records")
        Finally
            con.Close()
        End Try
Posted 8-Nov-12 4:58am
Lotus90317

1 solution

Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

You get the error because you're trying to open the connection before you've even set the connection string:
 
con.Open()
cmd.Connection = con
con.ConnectionString = "Data Source=lotus-pc\sqlexpress; Initial Catalog=LawyerSystem; Integrated Security= true"
 
Change this to:
 
con.ConnectionString = "Data Source=lotus-pc\sqlexpress; Initial Catalog=LawyerSystem; Integrated Security= true"
con.Open()
cmd.Connection = con
 
One more thing, this code is very vulnerable to SQL injection:
 
cmd.CommandText = "SELECT * FROM [users] WHERE (username='" + TextBox1.Text + "')AND (password='" + TextBox2.Text + "' )"
 
By concatenating unsanitized user input directly into SQL statements you leave yourself wide open. Start parameterizing your queries:
 
http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparameter.aspx[^]
 
take a look at:
 
https://www.owasp.org/index.php/SQL_Injection[^]
  Permalink  
Comments
Marcus Kramer at 8-Nov-12 11:49am
   
+5

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 OriginalGriff 6,651
1 Sergey Alexandrovich Kryukov 6,400
2 CPallini 5,230
3 George Jonsson 3,574
4 Gihan Liyanage 2,542


Advertise | Privacy | Mobile
Web01 | 2.8.140921.1 | Last Updated 8 Nov 2012
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100