[ACCEPTED]-How can I get a username and password from my database in C#?-sql-injection

Accepted answer
Score: 13

In general, when accessing your DB, you 2 should be using something similar to this 1 instead to eliminate SQL injection vulnerabilities:

using (SqlCommand myCommand = new SqlCommand("SELECT * FROM USERS WHERE USERNAME=@username AND PASSWORD=HASHBYTES('SHA1', @password)", myConnection))
        myCommand.Parameters.AddWithValue("@username", user);
        myCommand.Parameters.AddWithValue("@password", pass);

        SqlDataReader myReader = myCommand.ExecuteReader())

But more realistically to store credentials, you should be using something like the Membership system instead of rolling your own.

Score: 7

You're running a huge risk of sql injection with that. Use SQL Parameters for values into SqlCommands.


Score: 4

If you mean c# variables, and if you want 3 to get them from db, just do this:

SqlDataReader reader = cmd.execute Reader();
if (reader.Read())
    string username = reader["username"];
    string pwd = reader["password"];

While 2 you are at it, parameterize your query and 1 prevent sql injection:

SqlCommand cmd = new Sqlcommand("select * from login where username=@username and pwd=@pwd", con);
cmd.Parameters.AddWithValue("@username", txt4name.Text);
cmd.Parameters.AddWithValue("@pwd", txt4pwd.Text);
Score: 2

Definitely heed the advice about SQL injection 1 but here is the answer to your question:

String username;
String pwd;

int columnIndex = reader.GetOrdinal("username");

if (!dataReader.IsDBNull(columnIndex))
    username = dataReader.GetString(columnIndex);

columnIndex = reader.GetOrdinal("pwd");

if (!dataReader.IsDBNull(columnIndex))
    pwd = dataReader.GetString(columnIndex);
Score: 0
string userName =  txt4name.Text;
string password =  txt4pwd.Text;

Is that really what you want? Just to get 1 that data into variables?

Score: 0

You really need to use parameterized SQL. There's an example here Furthermore, your 6 question doesn't really make sense; you 5 want the username and password in seperate 4 variables? they already are seperate in 3 your example. If you are unable to assign 2 them to strings I suggest following some 1 tutorials.

Score: 0

Another approach is to load the reader results 6 into a DataTable like so:

DataTable Result = new DataTable();


If your login table 5 only contains two columns (userName and 4 password) that are unique you end up with 3 Result containing only one row with the 2 information. You can then get the column 1 values from each column:

string userName = Result.Rows[0].Field<string>("userName");
string password = Result.Rows[0].Field<string>("pwd");
Score: 0
private void but_login_Click(object sender, EventArgs e)
    string cn = "Data Source=.;Initial Catalog=mvrdatabase;Integrated Security=True";
    SqlConnection con = new SqlConnection(cn);
    SqlCommand cmd = new SqlCommand("select count (*) from logintable where username ='" + txt_uname.Text + "'and password='" + txt_pass.Text + "'", con);
    int i = Convert.ToInt32(cmd.ExecuteScalar());

    if (i == 1)
        Form2 f2 = new Form2();
        MessageBox.Show("User login successfully........");
        MessageBox.Show("INCORRECT USERID AND PASSWORD", "Error");


More Related questions