0

I am currently working on a Sign In page for a project and I am having issues with this exception. ('Invalid column name 'password01'.) I am using Microsoft SQL and here is the select statement I am using in my C# code that is throwing this exception when executed.

"SELECT [First Name], [Last Name], [SportID], [Occupation] FROM Employee WHERE [Username] = "
+ tbxUsername.Text
+ " AND [Password] = " 
+ tbxPassword.Text;
The Impaler
  • 45,731
  • 9
  • 39
  • 76
Nic Bowles
  • 19
  • 1
  • 3
  • The password01 is one of the passwords used in the Employee table – Nic Bowles Dec 12 '21 at 13:55
  • 5
    your tbxUsername is vurnerable for SQL injection. See this page for some nice examples. https://www.c-sharpcorner.com/UploadFile/0926bc/sql-injection/ – Stefan Dec 12 '21 at 14:00
  • ... also, I hope you don't store passwords in plain text there. – PMF Dec 12 '21 at 14:01
  • 10
    Stop, start over. Use parameters, do not store passwords in plain text. If you are working in the context of a web application, look at your framework's features for authentication and account management rather than rolling your own. (And look at Dapper while you're at it for an easy, type-safe way to do SQL -- with parameters.) – Jeroen Mostert Dec 12 '21 at 14:02
  • You are missing the closing ". – PMF Dec 12 '21 at 14:02
  • 2
    Why are injecting your parameters and why are you storing plain text passwords? The 2 combined are some of the most common, well known, and *easiest* to address vulnerabilities; fix your code and design before you suffer major security breaches. Use parameters, and hash and salt your passwords. – Thom A Dec 12 '21 at 14:02
  • 2
    Please read [Back to basics: SQL Injection](https://zoharpeled.wordpress.com/2020/07/16/back-to-basics-sql-injection/) and [Salted Password Hashing - Doing it Right](https://crackstation.net/hashing-security.htm) – Zohar Peled Dec 12 '21 at 14:12
  • 1
    The simple answer is you need to quote the text values in the where clause: `WHERE [Username] = '" + tbxUsername.Text + "' AND [Password] = '" + tbxPassword.Text + "'";` - but that's just putting a Band-Aid on a mortal wound. The better answer is to read the other comments and use a parametrized query. – Metro Smurf Dec 12 '21 at 14:17
  • Does this answer your question? [Why do we always prefer using parameters in SQL statements?](https://stackoverflow.com/questions/7505808/why-do-we-always-prefer-using-parameters-in-sql-statements) – Thom A Dec 12 '21 at 15:01
  • Does this answer your question? [Why should I care about hashing passwords anyway?](https://stackoverflow.com/questions/287597/why-should-i-care-about-hashing-passwords-anyway) – Thom A Dec 12 '21 at 15:02

0 Answers0