secretGeek.netEmbedded-Sql without Sql-Injection
Do this and you can be legally shot:
Dim myCmd as SqlCommand
myCmd.Commandtext = "Select * from Users where " & _
"Username = '" & txtUserName.text & "'" & _
" and Password = '" & txtPassword.Text & "'"
myCmd.Commandtext = "Select * from Users where " & _
"Username = '" & txtUserName.text & "'" & _
" and Password = '" & txtPassword.Text & "'"
So do this instead, at the **absolute** minimum:
Dim myCmd as SqlCommand
with myCmd
.Commandtext = "Select * from Users where " & _
"Username = @Name and Password = @Pass "
.Parameters.add("@Name", SqlDbType.Varchar)
.Parameters("@Name").Value = txtUserName.Text
.Parameters.Add("@Pass", SqlDbType.VarChar)
.Parameters("@Pass").Value = txtPassword.Text
End With
(You should still be smacked around for not encapsulating your functionality, not using tiers, and not using a sproc, but you will not be shot)
To learn why the first example is so much worse than the second, read about Sql-Injection. Next → ← Previous
My book "Choose Your First Product" is available now.
It gives you 4 easy steps to find and validate a humble product idea.