Plam Plam - 2 years ago 107
SQL Question

SQL CommandText Confusion with double quotes and single quotes

I am working on making a login system for my website. I am trying to make this code work.

cmd.CommandText="SELECT Usernames,Passwords FROM logininfo WHERE Usernames="" + UsernameInput.Text
+ "AND Passwords="" + PasswordInput.Text + '"";

My only problem is I am confused where to put the " and the ' types of quotes. So this is the code that I am having trouble with. I know it is correct but the single and double quote placement is confusing me and is not letting me compile.

pid pid
Answer Source

Please don't concatenate SQL, that exposes you to SQL injection. Use parameters instead.

cmd.CommandText="SELECT Usernames,Passwords FROM logininfo WHERE [email protected] AND [email protected]";
cmd.Parameters.AddWithValue("@username", UsernameInput.Text);
cmd.Parameters.AddWithValue("@password", PasswordInput.Text);

Also take the advice in the comment of Scott Chamberlain, it is a bad thing to store passwords in clear or encrypted on a database. Just store hashes. But read about how to do it, it's not immediate (you need to salt it correctly and use a robust hashing algorithm such as SHA512).

It's far too complex to explain here but you'll find tons of guides on this problem.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download