Home/ Questions/Q 7931049
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-03T20:36:33+00:00

I try to check user is exist or not.I try: public static bool GetUser(string

  • 0

I try to check user is exist or not.I try:

public static bool GetUser(string tblName, string UserName,string Password,string Usertype)
        {
            try
            {

                using (SqlConnection con = Connection.GetConnection())
                {
                    using (SqlCommand cmd = con.CreateCommand())
                    {
                       cmd.CommandText = "select count(UserName) from " + tblName + " where Password=" + Password + " and usertype=" + Usertype + " and username="+ UserName + "";
                        object obj = cmd.ExecuteScalar();
                        if (obj != null)
                            return true;
                        return false;
                    }
                }
            }
            catch (Exception ex)
            {
                throw ex;
            }

        }

When I call this method I got a following error.
My Error
connection is successfully established and I call this method like this.

bool Check = UserLogin.GetUser("OnlineCertificationLogin", "admin", "admin", "Admin");

My table structure is

My Table Structure
Unable to find my mistake.Thanks.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You’re not quoting the values, so your SQL ends up as:

    select count(UserName) from OnlineCertificationLogin
where Password=admin and usertype=admin and username=Admin

    Don’t fix this by adding quotes. Your code would then work for the sample given, but you’d be vulnerable to SQL injection attacks. Instead, you should fix this using a parameterized query – see SqlCommand.Parameters for more information and an example.

    Although you can’t parameterize the table name, you should make sure that it only ever comes via trusted code – not via user input, for example, as otherwise you’ve got exactly the same SQL injection problem again.

    Note that you also shouldn’t be storing passwords in plain text like that.

    I strongly recommend that you get hold of a book on security – Beginning ASP.NET Security might be up your street. (I have a copy but I confess haven’t read it much – I’ve listened to Barry talking about security though, and he explains it all very clearly.)

    • 0