how to prevent sql injection on login

Question

0.00/5 (No votes)

See more:

SQL-Server-2005

C#

ASP.NET

, +

I have two text box
Textbox1 for user name and Textbox2 for password

C#

string s = "select UserName,Password,Designation from Login where UserName='" + TextBox1.Text + "'and  Password='" + TextBox2.Text + "'";
 SqlCommand cmd1 = new SqlCommand(s, con);
                SqlDataReader dr = cmd1.ExecuteReader(CommandBehavior.SingleRow);

how to prevent sql injection?

Posted 26-Apr-12 19:48pm

Member 7909353

Add a Solution

Comments

hitech_s 27-Apr-12 2:01am

try to use parameterized queries then you will be out of sql injection attacks.google once about sqlinjection attacks, will get so many links.

2 solutions

Solution 2

Some links that talks about avoiding SQL Injection:
SQL Injection Attacks and Some Tips on How to Prevent Them[^]

http://msdn.microsoft.com/en-us/library/ff648339.aspx[^]

http://www.mikesdotnetting.com/Article/113/Preventing-SQL-Injection-in-ASP.NET[^]

Posted 26-Apr-12 19:56pm

Deepak_Sharma_

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

uspatel · Accepted Answer · 2012-04-26T19:50:00

Solution 1

Use parametrized Query

C#

string s = "select UserName,Password,Designation from Login where UserName=@uname and  Password=@pass;
 SqlCommand cmd1 = new SqlCommand(s, con);
cmd1.Parameters.AddWithValue("uname",TextBox1.Text);
cmd1.Parameters.AddWithValue("pass",TextBox2.Text);
                SqlDataReader dr = cmd1.ExecuteReader(CommandBehavior.SingleRow);

Posted 26-Apr-12 19:50pm

uspatel

Comments

sravani.v 27-Apr-12 2:47am

My 5!

uspatel 27-Apr-12 3:03am

Thanks Sravani.....