Just imagine this scenario:
A user (smart one) wants to log in. He writes
me@mail.com
in the Email textbox and
pwd
in the password textbox. This input will generate the following sql-queries:
select count(*) from TableCEO where EmailAddress='me@mail.com'
and
Select Password from TablePass where Password='pwd'
That's no problem.
Now imaging that this user writes
' or 1=1 or 1='
in the email textbox, and
' or LEN(Password)>0 or Password='
in the password textbox.
This input will generate the following sql-queries:
select count(*) from TableCEO where EmailAddress='' or 1=1 or 1=''
and
Select Password from TablePass where Password='' or LEN(Password)>0 or Password=''
Do you see the problem here? It's called SQL injections. It's easy to prevent using SqlParameters. You really should read about it.
MSDN - How To: Protect From SQL Injection in ASP.NET[
^]
And you should never store passwords as clear text in your database. It's pretty easy to avoid. I've written an article about that :
Beginners guide to a secure way of storing passwords[
^]