Some light reading for you:
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[
^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[
^]
Query Parameterization Cheat Sheet | OWASP[
^]
And:
Secure Password Authentication Explained Simply[
^]
Salted Password Hashing - Doing it Right[
^]
An immediate fix for the SQLi vulnerability:
using (OleDbCommand cmd = new OleDbCommand("INSERT INTO tblLogin (Username, Password, CharPreset) VALUES (?, ?, ?)", conn))
{
cmd.Parameters.AddWithValue("p0", u.Username);
cmd.Parameters.AddWithValue("p1", u.Password);
cmd.Parameters.AddWithValue("p2", u.CharPreset);
cmd.ExecuteNonQuery();
}
But don't ignore the password storage problem!
Oh, and storing the connection object in a
static
field is a terrible idea, especially if this is a web application. Connections are not thread-safe, and if two requests hit at the same time, the best you can hope for is a crash.