Home/ Questions/Q 7757719
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T13:10:01+00:00

This is my first here in Stackoverflow. So I just want to ask question

  • 0

This is my first here in Stackoverflow. So I just want to ask question about Login Authentication using ADO.NET in C#.

So here it goes.

I stumbled upon reading an eBook called “Syngress – SQL Injection Attacks and Defenses” and I was a bit confused with the example given on the book.

Here is the sample code from the book which I’m confuse with the examples

SqlConnection con = new SqlConnection(ConnectionString);
string Sql = "SELECT * FROM users WHERE username=@username" + "AND password=@password";
cmd = new SqlCommand(Sql, con);
// Add parameters to SQL query
cmd.Parameters.Add("@username",              // name
                   SqlDbType.NVarChar,       // data type
                   16);                      // length
cmd.Parameters.Add("@password",
                    SqlDbType.NVarChar,
                    16);
cmd.Parameters.Value["@username"] = username; // set parameters
cmd.Parameters.Value["@password"] = password; // to supplied values
reader = cmd.ExecuteReader();

I’m confused with the “cmd.Parameters.Value” part because when try to code there is no Parameters.Value given in my IDE..

So what I did is i’m using cmd.Parameters.AddWithValue(“?cashieruser”, cashieruser); than Parameters.Value because its not found in the IntelliSense of Visual Studio 2010.

Here is my Code:

public bool isAuth(String cashieruser, String cashierpass)
{
    bool IsAuth = false;
    con.ConnectionString = conString;
    String sql = "SELECT * FROM cashieraccount WHERE cashieruser = ?cashieruser" + "AND cashierpass = ?cashierpass";
    MySqlCommand cmd = new MySqlCommand(sql, con);

    //Add parameters to SQL Query
    cmd.Parameters.Add("?cashieruser", MySqlDbType.VarChar, 35);
    cmd.Parameters.Add("?cashierpass", MySqlDbType.VarChar, 15);

    cmd.Parameters.AddWithValue("?cashieruser", cashieruser);
    cmd.Parameters.AddWithValue("?cashierpass", cashierpass);
    cmd.ExecuteScalar();

    try
    {
       con.Open();
       MySqlDataReader rdr = cmd.ExecuteReader();
       if (rdr.Read())
       {   
          IsAuth = true;
       }
       else
          IsAuth = false;
    }
    finally
    {
       con.Close();
    }
    return IsAuth;
}

So I got an Exception: “Parameter ‘?cashieruser’ has already been define.”
So what Syntax will I use in order to set the parameters and supply the values?
By the way, I’m using MySQL which it works with ADO.NET

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    In your first example there is an error. Parameters is the collection on which use the index.
    The right syntax is:

    cmd.Parameters["@username"].Value = username; // set parameters 
cmd.Parameters["@password"].Value = password; // to supplied values

    In the second example you try to add the same parameters two times
    You could combine create and value setting with just one line which allow to remove the AddWithValue lines 

    //Add parameters to SQL Query   
cmd.Parameters.Add("?cashieruser", MySqlDbType.VarChar, 35).Value = cashierUser;   
cmd.Parameters.Add("?cashierpass", MySqlDbType.VarChar, 15).Value = cashierPass;

    Also the cmd.ExecuteScalar should be removed.
    Run ExecuteReader after the connection open.
    Finally, but this is probably a typo.
    In your query text there is no space between the first where condition and the second part of the query. (really there is no need to concatenate string here.)

    • 0