EMail\SQLError

[gh]

Below is the from part of an sql statement. When the query is fired
from the web page I get the following error. How do I work around this?

Thanks




Token unknown - line 1, char 67 @




from USERLOGIN WHERE LOGIN= " +aEmail+ " AND PSSWORD=

 

[Hilmar Bunjes]

Below is the from part of an sql statement. When the query is fired
from the web page I get the following error. How do I work around this?

Thanks

Token unknown - line 1, char 67 @

from USERLOGIN WHERE LOGIN= " +aEmail+ " AND PSSWORD=

You should use a prepared statement or a stored procedure. The way you
build the sql command is open to sql injection. Just think what'll
happen is "aEmail" is: ..."; delete from userlogin;"... or something
like that.

Best,
Hilmar

 

[Augustin Prasanna]

try using single quotes around the variable in your where clause

example:

from USERLOGIN WHERE login ='" + aEmail + "'

I assume, aEmail is a string variable in your .net code.

Regards,
Augustin

 

[David Wier]

At the very least, used a parameterized query instead of concatenation
Tutorial:
http://www.aspnet101.com/aspnet101/tutorials.aspx?id=1

David Wier
http://aspnet101.com
http://iWritePro.com - One click PDF, convert .doc/.rtf/.txt to HTML with no
bloated markup