-2

this is the code i am trying to use

        MySqlCommand cmd = new MySqlCommand();
        cmd.Connection = conn;

        cmd.CommandText = "insert into student_logintable.login_table(username,password) values = '"+txtusernew.Text.Trim()"','"+txtpasswordnew.Text.Trim()"'";
        cmd.Parameters.Add("username", MySqlDbType.VarChar).Value = " + txtusernew.Text.Trim() ";
        cmd.Parameters.Add("password", MySqlDbType.VarChar).Value = " + txtpasswordnew.Text.Trim()";
        cmd.ExecuteNonQuery();
Audu Sheriff
  • 1
  • 1
  • Is there a hidden question somewhere ? – Sudipta Mondal Jul 19 '17 at 13:10
  • What is the problem ? – Wasim K. Memon Jul 19 '17 at 13:12
  • I feel the urge to tell you to **never store passwords in plain text**! In fact, **never store passwords in any way**! There is basically always a better and more secure way to work with login data (hashed and salted). See https://stackoverflow.com/a/1054033/1336590 for further information. – Corak Jul 19 '17 at 13:23

2 Answers2

0

I belive the INSERT statement don't use a = sign for attribution.

cmd.CommandText = "INSERT INTO student_logintable.login_table(username, password) VALUES ('" +txtusernew.Text.Trim()+ "', '" +txtpasswordnew.Text.Trim()+ "')"

Croves
  • 400
  • 3
  • 11
  • It's worth mentioning that your code sample allows for SQL Injection by directly concatenating the input values into the SQL command. Parameters are definitely a necessity but you are absolutely right about the INSERT statement – Ortund Jul 19 '17 at 13:24
0

It doesn't look to me like you're really formatting your parameter addition very well.

I'd recommend using Parameters.AddWithValue. Have a look:

cmd.Parameters.AddWithValue("username", txtusernew.Text.Trim());

You do need to include the @ in the parameter name when you create it though:

cmd.Parameters.AddWithValue("@username", txtusernew.Text.Trim());

Your insert statement is also incorrect. Remember, the format is:

INSERT INTO [table_name] ([column_name], ...) VALUE|VALUES([value], ...)

So your insert statement (with parameters) should look more like this:

cmd.CommandText = "insert into student_logintable.login_table(username,password)
    values(@username, @password)";
Ortund
  • 8,095
  • 18
  • 71
  • 139