'>

secure your .net login panel from sqlinjection

Tips:

  •  Where do you close the connection?
  •  Never use "Select *" (uses of column names is better, you can also uset count for get just one velue, and that will be better than use columns names if you want just to test existing or not )
  •  If you only want one value back, use ExecuteScalar in place of use ExecuteReader for example
Example:

button_click:
//call methode :)

methode:
 test if login name & login password exist or not :
SqlCommand cmd = new SqlCommand("select Count(name) from users where name=@names and pass=@passs", con);



//now we will use sqlparameters (it is a good methode to test :) )
                    cmd.Parameters.AddWithValue("@names",name);
                    cmd.Parameters.AddWithValue("@passs", pass);
                    object count = cmd.ExecuteScalar();

                    if ((count != null) && (Convert.ToInt32(count)) >= 1)
                     //ok :)
                   else
                    //error :(

By Drupal Study