Hi,
You forgot apostrophes, and you forgot an
AND
or
OR
:
string verifyinfo = "select imagelist, pass from Gpass where userid='" + txtuserid.Text + "' AND email='" + txtemail.Text + "'";
But don't use string concatenation to build queries, because using string concatenation doesn't prevent
SQL injection[
^]. Use a
SqlParameter
to pass a parameter:
http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparameter.aspx[
^]
http://www.dotnetperls.com/sqlparameter[
^]
If you use a
SqlParameter
, try this code:
using (SqlCommand command = new SqlCommand("select imagelist, pass from Gpass where userid=@userid AND email=@email", connection))
{
command.Parameters.Add(new SqlParameter("userid", txtuserid.Text));
command.Parameters.Add(new SqlParameter("email", txtemail.Text));
SqlDataReader reader = command.ExecuteReader();
}
I recommend to use
SqlParameter
to prevent SQL injection.