help me plz

  • Thread starter Thread starter sara_222
  • Start date Start date
S

sara_222

Hello all,
plz , i have the following code , which take student id and
passowrd,then check the id if it is found ,check password if it is
tru, if the password and id are true,the student can log in the
system, if the password if false ,he can try 3 times,if the id is not
recognized,the terminal is locked for 5 minutes.
when i compiled the code, the error message appered on the
dr=cm.executereader
i didn't know what is the problem with sql command.
code
...............
public sub log(byval num as integer,byval pass as string)
Dim cnn As New
SqlConnection("server=(local);database=db1;Trusted_Connection=yes")
Dim cm As New SqlCommand("select * from student where id=@num", cnn)
Dim dr As SqlDataReader
cnn.Open()
dr = cm.ExecuteReader
dr.Read()
If dr("id") = num Then
If dr("pass") = pass Then
MsgBox("login")
Else
MsgBox("invalid password")
End If
Else
MsgBox("Id is not recognized")
End If
dr.Close()
end sub
......................
plz help me , i am student and this is course project
Thankx
sara
Posted at: http://www.groupsrv.com
 
Hi sara,

Change
Dim cm As New SqlCommand("select * from student where
id=@num", cnn)

to

Dim cm As New SqlCommand("select * from student where id="
& num.ToString, cnn)

HTH

Elton Wang
(e-mail address removed)
 
Please don't do that!

Dim cm As New SqlCommand("select * from student where id=@num")
cm.Parameters.Add("@num", num)

Search Google for SQL injection attack.

Also look into using the Data Access Application Block (DAAB) from
Microsoft.
 
Hi Jim,

It's a good point. If field id is type of char or varchar
(or something similar), it's better to use parameter. For
type int, there is no large difference.

HTH

Elton Wang
 
Consistently doing things the correct way is the key to success.

The OP was using a parameteriezed query, but just missed adding the
parameter.

In the case however, as you pointed out, the only thing saving this from
SQL injection attack was the byval num as integer function argument. That
may not have been obvious to the OP for the next function where they were
passing in the username as a string instead of the ID.
 
Use parameterized query instead of thinking that its an integer I can pass
it like
Dim cm As New SqlCommand("select * from student where id="
& num.ToString, cnn)


Better to do it first time and always

Thanks
Anubhav
 
Back
Top