c# - Must declare the scalar variable "@UserName" -
i have make simple login not crash when insert browser (") needed parameterize query string reason im gettin error saying:
must declare scalar variable "@username"
here code
private void dosqlquery() { try { sqlconnection conn = new sqlconnection(configurationmanager.connectionstrings["rolaconnectionstring"].connectionstring); conn.open(); string checkuser = "select * userdata username = @username"; sqlcommand com = new sqlcommand(checkuser, conn); com.parameters.addwithvalue("@username", txtusername.text.trim()); int temp = convert.toint32(com.executescalar().tostring()); conn.close(); if (temp == 1) { conn.open(); string checkpassword = "select password userdata username = @username"; sqlcommand passconn = new sqlcommand(checkpassword, conn); com.parameters.addwithvalue("@username", txtusername.text.trim()); string password = passconn.executescalar().tostring(); conn.close(); if (password == txtpassword.text) { session["new"] = txtusername.text; response.write("password correct"); response.redirect("~/loggedin.aspx"); } else { response.write("password not correct"); } } else { response.write("username not correct"); } } catch(exception e) { response.write(e.tostring()); } }
you referencing wrong command in inner if
statement:
string checkpassword = "select password userdata username = @username"; sqlcommand passconn = new sqlcommand(checkpassword, conn); com.parameters.addwithvalue("@username", txtusername.text.trim()); ^^^-- should passconn
as result, second command never gets parameter added error mention. case sensitivity may problem, depends on collation of database - sql server case-insensitive default.
some other suggestions not related problem:
- wrap commands , connection in
using
statements - query username , password in 1 query (
where username = @username , password = @password
). hackers first search valid usernames, try hack password using dictionary attacks. trying find matching combination much harder. - do not store passwords in plain text - use salted hash
- or use built-in security providers rather rolling own.
Comments
Post a Comment