Click here to Skip to main content
15,031,085 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
I have two text box
Textbox1 for user name and Textbox2 for password

C#
string s = "select UserName,Password,Designation from Login where UserName='" + TextBox1.Text + "'and  Password='" + TextBox2.Text + "'";
 SqlCommand cmd1 = new SqlCommand(s, con);
                SqlDataReader dr = cmd1.ExecuteReader(CommandBehavior.SingleRow);


how to prevent sql injection?
Posted
Comments
hitech_s 27-Apr-12 2:01am
   
try to use parameterized queries then you will be out of sql injection attacks.google once about sqlinjection attacks, will get so many links.

Use parametrized Query
C#
string s = "select UserName,Password,Designation from Login where UserName=@uname and  Password=@pass;
 SqlCommand cmd1 = new SqlCommand(s, con);
cmd1.Parameters.AddWithValue("uname",TextBox1.Text);
cmd1.Parameters.AddWithValue("pass",TextBox2.Text);
                SqlDataReader dr = cmd1.ExecuteReader(CommandBehavior.SingleRow);
   
Comments
sravani.v 27-Apr-12 2:47am
   
My 5!
uspatel 27-Apr-12 3:03am
   
Thanks Sravani.....

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900