Home/ Questions/Q 7665373
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T14:32:52+00:00

I’ve found some tutorials on this already, but they aren’t exactly what I’m looking

  • 0

I’ve found some tutorials on this already, but they aren’t exactly what I’m looking for, I can use the following for username fields and password fields

Private Sub UsernameTextBox_KeyPress(ByVal sender As Object, ByVal e As System.Windows.Forms.KeyPressEventArgs) Handles UsernameTextBox.KeyPress
    If Char.IsDigit(e.KeyChar) OrElse Char.IsControl(e.KeyChar) OrElse Char.IsLetter(e.KeyChar) Then
        e.Handled = False
    Else
        e.Handled = True
    End If
End Sub

But for an email field how would I go about protecting against SQL injection for that textbox, as some email accounts have periods or dashes in them?

Update:
Below is an example of an insert statement I use. 

Dim con As SqlConnection
con = New SqlConnection()
Dim cmd As New SqlCommand
 Try
  con.ConnectionString = "Data Source=" & Server & ";Initial Catalog=" & Database & ";User ID=" & User & ";Password=" & Password & ";"
  con.Open()
  cmd.Connection = con
  cmd.CommandText = "INSERT INTO TB_User(STRUserID, password, Email) VALUES('" & UsernameTextBox.Text & "', '" & MD5Hash(PasswordTextBox.Text) & "', '" & EmailTextBox.Text & "')"
  cmd.ExecuteNonQuery()
Catch ex As Exception
  MessageBox.Show("Error while inserting record on table..." & ex.Message, "Insert Records")
Finally
  con.Close()
End Try

So I need to run this with parametrized queries rather than how I’m doing it now?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Instead of filtering out “invalid” data from user input, consider using parametrized queries and not putting user input directly into your queries; that’s very bad form.

    To run your current query using parameters, it’s pretty easy:

    Dim con As New SqlConnection()
Dim cmd As New SqlCommand()

Try
    con.ConnectionString = "Data Source=" & Server & ";Initial Catalog=" & Database & ";User ID=" & User & ";Password=" & Password & ";"
    con.Open()
    cmd.Connection = con
    cmd.CommandText = "INSERT INTO TB_User(STRUserID, password, Email) VALUES(@username, @password, @email)"
    cmd.Parameters.Add("@username", SqlDbType.VarChar, 50).Value = UsernameTextBox.Text
    cmd.Parameters.Add("@password", SqlDbType.Char, 32).Value = MD5Hash(PasswordTextBox.Text)
    cmd.Parameters.Add("@email", SqlDbType.VarChar, 50).Value = EmailTextBox.Text
    cmd.ExecuteNonQuery()
Catch ex As Exception
    MessageBox.Show("Error while inserting record on table..." & ex.Message, "Insert Records")
Finally
    con.Close()
End Try

    All you have to do is use cmd.Parameters.Add with a parameter name and the right database type (the ones I guessed probably don’t match up, so you’ll want to change them), then set the value to the value you want used in the query. Parameter names start with an @.

    • 0