As Richard MacCutchan suggests, please read this:
How to: Protect From Injection Attacks in ASP.NET[
^], especially
Step 4. Use Command Parameters for SQL Queries.
Then check this line:
sql = "exec Logon'" + txtUserName.text + "', '" + txtPassword.text + "'";
Does
txtUserName
and
txtPassword
is the name of TextBox control? If yes, try this:
String uName = Me.txtUserName.Text;
String uPass = Me.txtPassword.Text;