Select Query in sql with c sharp textbox

Question

0.00/5 (No votes)

See more:

C#

abc.Open();
            com.CommandText = "select [id],[name] from testtable where user =='"textbox1.Text"' && password=='"textbox2.Text"'";
            bca = com.ExecuteReader();
            if (bca.HasRows)
            {
                while (bca.Read())
                {

                    listBox1.Items.Add(bca[0].ToString());
                    listBox2.Items.Add(bca[1].ToString());
                }
            }
            abc.Close();
        }

there is i want to select in where clause with text box1 and 2
but sql quuery mistake....

Posted 13-Feb-13 11:15am

saimm

Add a Solution

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

fjdiewornncalwe · Accepted Answer · 2013-02-13T11:23:00

Solution 2

1) SQL does not accept the == operator, only the = operator.
2) Never, ever, ever use inline concatenation of parameters in sql strings. This just invites sql injection and should be avoided from the outset when learning.
3) Never, ever, ever use a plain text password
4) If you are going to do this, do it as described in this article: Password Storage: How to do it.[^]
This is how it should look...

C#

com.CommandText = "Select [id],[name] FROM testtable WHERE user=@userName AND password=@password";
com.Parameters.Add(new SqlParameter("userName", textbox1.Text));
com.Parameters.Add(new SqlParameter("password", textbox2.Text)); // Horrible idea, but just here to show you how to use a parameter.
bca = com.ExecuteReader();

Posted 13-Feb-13 11:23am

fjdiewornncalwe

Comments

Richard C Bishop 13-Feb-13 17:25pm

Good call, I was not even thinking about paramterized queries when I was adding my solution. I just saw the errors with the syntax. Your solution is a much better alternative.

fjdiewornncalwe 14-Feb-13 8:59am

Thanks, richcb

Jibesh 13-Feb-13 17:28pm

using parameter is the right choice which eliminates the SQL Injection problem. my +5

fjdiewornncalwe 14-Feb-13 8:59am

Thanks, jibesh

Espen Harlinn 14-Feb-13 13:20pm

Exactly what I was thinking about :laugh:
BTW: My congratulations, I noticed that you've passed the 100K barrier, well done :-D

fjdiewornncalwe 14-Feb-13 13:23pm

Thanks, Espen

saimm 14-Feb-13 15:04pm

thnx Marcus
realy this is best way to teach ....

fjdiewornncalwe 14-Feb-13 15:21pm

Your welcome and Thanks, saimm.

saimm 14-Feb-13 15:08pm

i try to make login forum
but i m begginer so try to simple login forum
any advice to make login forum?

Sergey Alexandrovich Kryukov 24-Feb-13 12:51pm

5ed.
—SA

fjdiewornncalwe 25-Feb-13 8:12am

Thanks, Sergey.

Richard C Bishop · Accepted Answer · 2013-02-13T11:18:00

Solution 1

Change it from this:

com.CommandText = "select [id],[name] from testtable where user =='"textbox1.Text"' && password=='"textbox2.Text"'";

to this:

com.CommandText = "select [id], [name] from testtable where user ='" + textbox1.Text +"' and  password='" + textbox2.Text + "'";

Posted 13-Feb-13 11:18am

Richard C Bishop

muneebalikiyani · Accepted Answer · 2013-02-13T17:00:00

Solution 3

replace your Select query with this
"select [id],[name] from testtable where user ='" + textbox1.Text + "' and password='" +textbox2.Text + "'";

Posted 13-Feb-13 17:00pm

muneebalikiyani

Comments

saimm 14-Feb-13 15:05pm

thnx muneeb i try with these query...

Sergey Alexandrovich Kryukov 12-Mar-13 1:25am

Very, very bad answer. This is the invitation of SQL injection, should never be used.
Correct solutions use parametrized statements.
—SA