SELECT parameterizes query

Question

1.00/5 (1 vote)

See more:

How would I change this into a parameterized query? Its the code for the login for users to the system

C#

private void LoginButton_Click(object sender, EventArgs e)
        {

            SqlConnection sqlcon = new SqlConnection(@"Data Source=HP\SQLEXPRESS;Initial Catalog=Inventory;Integrated Security=True");
            string query = "Select * from Employees Where Username = '" + Username_txt.Text + "' and Password = '" + Password_txt.Text + "'";
            SqlDataAdapter sda = new SqlDataAdapter(query, sqlcon);
            DataTable dtbl = new DataTable();
            sda.Fill(dtbl);

            if (dtbl.Rows.Count == 1)
            {
                Dashboard mainForm = new Dashboard();
                this.Hide();
                mainForm.Show();
            }
            else
            {
                LoginError.Visible = true;
            }
        }

What I have tried:

Re-writing code, but its still not working

Posted 4-Dec-17 9:21am

Member 13512434

Updated 4-Dec-17 10:26am

v3

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

an0ther1 · Answer 1 · 2017-12-04T10:03:00

Put a placeholder in your query for each parameter;

C#

string query = "SELECT * FROM Employees WHERE Username = @username AND Password = @password";

Then add the parameters to the query text as follows;

C#

// declare a datatable outside of your using statement
DataTable dtResults;
using(SqlConnection conn = new SqlConnection(@"Data Source=HP\SQLEXPRESS;Initial Catalog=Inventory;Integrated Security=True"))
{
    // create a SQL Command object    
    SqlCommand cmd = new SqlCommand(conn, query);
    // populate the parameters using either of the following methods
    cmd.Parameters.Add("@username", SqlDbType.Varchar);
    cmd.Parameters["@username"].Value = Username_txt.Text;
    cmd.Parameters.AddWithValue("@password", Password_txt.Text);
    // open the connection - should we wrapped in a try/catch block
    conn.Open();
    // create an adapter and fill the datatable with results
    SqlDataAdapter adap = new SqlDataAdapter(cmd);
    adap.Fill(dtResults);
}

MSDN is an excellent source of reference material, below is a link to the SqlCommand.Parameters property which you may find useful;SqlCommand.Parameters Property (System.Data.SqlClient)[^]

Kind Regards

OriginalGriff · Answer 2 · 2017-12-04T10:24:00

Solution 2

an0ther is right about the parameterization, but there is another issue: never store passwords in plain text: Password Storage: How to do it.[^]

Posted 4-Dec-17 10:24am

OriginalGriff

Comments

Richard Deeming 5-Dec-17 10:45am

Some people never listen!
https://www.codeproject.com/Answers/1214540/Oledbexception-was-unhandled-Csharp-explanation-ne[^]

Still, at least the OP seems to finally be getting the message about SQLi. :)