jamesmc1535 wrote
okay it works (
\\ ) and the @ but i get another syntax error -
SqlCommand cmd = new SqlCommand("from user1 where username = '" + textBox1.Text + "' and password = '" + textBox2.Text + "'", cn);
on the from .any fixes? or advice
In addition to what you've been already told in some of the comments to Solution 2:
Your approach is wrong from the very beginning. The query composed by concatenation with strings taken from UI. Not only repeated string concatenation is inefficient (because strings are
immutable; do I have to explain why it makes repeated concatenation bad?), but there is way more important issue: it opens the doors to a well-known exploit called
SQL injection.
This is how it works:
http://xkcd.com/327.
Are you getting the idea? The string taken from a control can be anything, including… a fragment of SQL code.
What to do? Just read about this problem and the main remedy:
parametrized statements:
http://en.wikipedia.org/wiki/SQL_injection.
With ADO.NET, use this:
http://msdn.microsoft.com/en-us/library/ff648339.aspx.
Please see my past answers for some more detail:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.
—SA