help me plz

S

sara_222

Hello all,
plz , i have the following code , which take student id and
passowrd,then check the id if it is found ,check password if it is
tru, if the password and id are true,the student can log in the
system, if the password if false ,he can try 3 times,if the id is not
recognized,the terminal is locked for 5 minutes.
when i compiled the code, the error message appered on the
dr=cm.executereader
i didn't know what is the problem with sql command.
code
...............
public sub log(byval num as integer,byval pass as string)
Dim cnn As New
SqlConnection("server=(local);database=db1;Trusted_Connection=yes")
Dim cm As New SqlCommand("select * from student where id=@num", cnn)
Dim dr As SqlDataReader
cnn.Open()
dr = cm.ExecuteReader
dr.Read()
If dr("id") = num Then
If dr("pass") = pass Then
MsgBox("login")
Else
MsgBox("invalid password")
End If
Else
MsgBox("Id is not recognized")
End If
dr.Close()
end sub
......................
plz help me , i am student and this is course project
Thankx
sara
Posted at: http://www.groupsrv.com
 
E

Elton Wang

Hi sara,

Change
Dim cm As New SqlCommand("select * from student where
id=@num", cnn)

to

Dim cm As New SqlCommand("select * from student where id="
& num.ToString, cnn)

HTH

Elton Wang
(e-mail address removed)
 
J

Jim Hughes

Please don't do that!

Dim cm As New SqlCommand("select * from student where id=@num")
cm.Parameters.Add("@num", num)

Search Google for SQL injection attack.

Also look into using the Data Access Application Block (DAAB) from
Microsoft.
 
E

Elton Wang

Hi Jim,

It's a good point. If field id is type of char or varchar
(or something similar), it's better to use parameter. For
type int, there is no large difference.

HTH

Elton Wang
 
J

Jim Hughes

Consistently doing things the correct way is the key to success.

The OP was using a parameteriezed query, but just missed adding the
parameter.

In the case however, as you pointed out, the only thing saving this from
SQL injection attack was the byval num as integer function argument. That
may not have been obvious to the OP for the next function where they were
passing in the username as a string instead of the ID.
 
A

Anubhav Mishra

Use parameterized query instead of thinking that its an integer I can pass
it like
Dim cm As New SqlCommand("select * from student where id="
& num.ToString, cnn)


Better to do it first time and always

Thanks
Anubhav
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Datareader passed ByVal - OOP Basics question 2
Appropriate Query ? 2
OldDb Connection 2
I want to take List of Datatables with ADODB using VB.Net.. 3
Plz,I need your help 7
Instance failure on VB but not C# 2
Need help with LINQ Query 12
Databinding problem with sqlhelper.executereader and a dropdownlist in VB.NET 0

Top