How to pass constant sting variable into SQL query in C# WPF
1. am not passing data and it should in database
2. What I have tried: i have tried passing in queries please give the solution
Well, not much context to work with; and no code to see where your problems could be.
Guess we'll start with the basics.
How to pass constant sting variable into SQL query in C# WPF
The proper way to do this would be to use a parameterized query for the command you want to execute.
1. Create the command text as a string, and use a a
parameter as the placeholder for the variable
string SqlCmdText = "SELECT FNames FROM UserList WHERE EmailAddress = @Email";
Then after your SqlCommand is created, you will add that parameter to the command object
cmd.Parameters.AddWithValue("@Email", UserEmailAddress);
Here is a full sample for you
public static string GetFirstName(string UserEmailAddress) {
string ReturnValue = "";
string SqlConnString = "{ Connection String }";
string SqlCmdText = "SELECT FNames FROM UserList WHERE EmailAddress = @Email";
using (SqlConnection conn = new SqlConnection(SqlConnString)) {
using (SqlCommand cmd = new SqlCommand(SqlCmdText, conn)) {
cmd.CommandType = CommandType.Text;
cmd.Parameters.AddWithValue("@Email", UserEmailAddress);
conn.Open();
var sqlReturn = cmd.ExecuteScalar();
if (sqlReturn != null) { ReturnValue = sqlReturn.ToString(); }
conn.Close();
}
}
return ReturnValue;
}
If you have a specific query or code to work with; I would highly suggest that you use the
Improve Question widget and add that code in.
Addendum based on now-supplied application code
Thank you for supplying your code.
We have a few issues here:
1. SQL Injection Vulnerability. Never concantenate strings and input values together to make a SQL statement. You become susceptible to whatever an end-user enters into a text box. You can avoid this by using Parameters in the command context.
I have commented out the first instance of the problem and replaced it with how it should be. You will need to do similar to the two other SQL commands that you use
cmd = new SqlCeCommand("SELECT * FROM Login WHERE EmailID= @Email AND Password= @Password", conn);
cmd.Parameters.AddWithValue("@Email", textEMail.Text);
cmd.Parameters.AddWithValue("@Password", passwordBox1.Password);
SqlCeDataAdapter da = new SqlCeDataAdapter(cmd);
2. Plain-Text Passwords
You should never store passwords in plain-text. You should implement some method of
hashing to protect them. This will require much more than a quick answer though. I would recommend reading the articles here and elsewhere on the topic. I have worked with implementations of bCrypt and would consider this acceptable as well.
Password Storage: How to do it.[
^]
Use BCrypt to Hash Your Passwords: Example for C# and SQL Server « Rob Kraft's Software Development Blog[
^]
Combined these are asking to have all credentials stolen
All I would need to do to get all of your login emails and passwords would be to use this email address:
Fred' OR (1=1);--
.
This will short circuit your statement to "SELECT * FROM Login", and I now have everyone's plain-text passwords to boot.