0

I am designing a register form. The following is my codes: but after I do it, then the SQL table display is not the user's data....? The database table display &username&, &password& (username, password...are textboxes name)

Protected Sub btnOK_Click(sender As Object, e As EventArgs) Handles btnOK.Click       
        Dim Conn As SqlConnection = New SqlConnection(".....")
        Conn.Open()
        Dim sqlstr As String = "Insert Into user_profile(username,password,nickname,realname,email) Values('" & username.Text & "','" & password.Text & "','" & nickname.Text & "','" & realname.Text & "','" & email.Text & "')"
        Dim cmd As New SqlCommand(sqlstr, Conn)
        cmd.ExecuteNonQuery()

        cmd.Cancel()
        Conn.Close()
        Conn.Dispose()

    End Sub
jbutler483
  • 24,074
  • 9
  • 92
  • 145
Jerry Lin
  • 3
  • 3
  • You should really think of using SqlParameters, do not concatenate. – the_lotus Dec 03 '14 at 15:36
  • Hi. My username is `DROP TABLE user_profile; --` **Note** Don't use my username. [SQLI](http://en.wikipedia.org/wiki/SQL_injection) – jbutler483 Dec 03 '14 at 15:36
  • A part from the Sql Injection issue, check if [this question/answer](http://stackoverflow.com/questions/17147249/why-saving-changes-to-a-database-fails/17147460#17147460) applies to your situation – Steve Dec 03 '14 at 15:37
  • Little Bobby Tables? – Jeremy Dec 03 '14 at 15:48

1 Answers1

0

Ok, first, I'll take a stab at your question. Then, we NEED to talk about SQL Injections.

Try this: 

Dim MyValues as String = String.Format("'{0}', '{1}', '{2}', '{3}', '{4}'", username.Text, password.Text, nickname.Text, realname.Text, email.Text )

Dim sqlstr As String = "Insert Into user_profile(username,password,nickname,realname,email) Values(MyValues)"

(I've not tested that code. Watch for syntax errors.)

Now, that having been said, it is VITAL that you understand the danger of the way you are trying to do this. The serious problem here is that you are wide open to a SQL Injection attack. Google it. But in short, using this approach, someone can put commands like 'drop table' into your textbox, and those commands will be executed in your database.

The proper way to do this would be to create a stored procedure that contains the INSERT statement, and then pass your values to it with parameters. The web is littered with tutorials on how to do this. You'll find one easy enough.

Good luck!

Casey Crookston
  • 13,016
  • 24
  • 107
  • 193