Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
sqlcommand sqlparameter in cast type
i am trying to pass username and paasword throgh sqlparameter But query not executed

    string strSQL = @"SELECT User_ID, Enabled 
        	          FROM User_Reg 
        	          WHERE Username = @paramUsername 
        	          AND CAST(Password AS varbinary(30)) = CAST( @paramPassword  AS varbinary(30))";
        
        		objSqlCommand = new SqlCommand(strSQL, objSqlDbComm.SqlConnectionObject);
        		objSqlCommand.Parameters.AddWithValue("@paramUsername", txtUsername.Text);
        		objSqlCommand.Parameters.AddWithValue("@paramPassword", txtPassword.Text);
 
DataTable objDataTable = objSqlDbComm.ExecuteDataset(objSqlCommand).Tables[0];
sqlcommand sqlparameter in cast type
i am trying to pass username and paasword throgh sqlparameter But query executed with
objDataTable.Rows.Count GETTING 0
Posted 19-Apr-13 0:56am
Edited 19-Apr-13 1:07am
v3
Comments
Maciej Los at 19-Apr-13 6:05am
   
Does above code is complete?
"Not executed" - is not informative at all ;(
Please, be more specific and provide more details.
NikhildPawar at 19-Apr-13 6:08am
   
I have updated quetion
objDataTable.Rows.Count GETTING 0

1 solution

Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

The most obvious reason the "query not executed" is that you don't show the actual call to ExecuteReader, or DataAdapter.Fill - I will assume that you have one or the other in there though.
 
Why are you casting password? Why are you storing them as text? Even using parameterized queries, that is not a good idea for security reasons. See here: Password Storage: How to do it.[^]
 
Once you have converted your passwords to a secure form, do a simpler query that returns the user_id and the password given only the username - then verify the password in the code behind instead of as part of the query. That way, the password you expect to be valid never leaves teh server, and you have much better control over what goes on.
  Permalink  
Comments
Maciej Los at 19-Apr-13 6:21am
   
Short and to the point!
+5
NikhildPawar at 24-Apr-13 3:09am
   
answer
OriginalGriff at 24-Apr-13 3:27am
   
Sorry? Single word comments aren't that helpful. "answer" has many meanings, please try to elaborate a little! :laugh:
NikhildPawar at 24-Apr-13 3:38am
   
Sorry But Why query executed with
objDataTable.Rows.Count GETTING 0
please elaborate not cleared
OriginalGriff at 24-Apr-13 9:31am
   
Probably because they are compared as varbinary. So if there is any difference in the value you stored compared to the value of the string as cast to a varbinary (and that may well include unassigned values) it will fail. So if your store routine saves the string as "abc" followed by 27 spaces, and the cast converts it to "abc" followed by 27 nulls they will not match.
It's also possible that one is cast from Unicode, and the other isn't, or similar problems.
 
Without looking at you DB data in some detail I can't be specific.
 
Just don't do it! :laugh:

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 OriginalGriff 277
1 Maciej Los 230
2 BillWoodruff 205
3 Sergey Alexandrovich Kryukov 195
4 DamithSL 165
0 OriginalGriff 5,130
1 DamithSL 4,157
2 Maciej Los 3,650
3 Kornfeld Eliyahu Peter 3,460
4 Sergey Alexandrovich Kryukov 2,811


Advertise | Privacy | Mobile
Web04 | 2.8.141216.1 | Last Updated 19 Apr 2013
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100