-4

Try to parameterize this code.

    string sql = "SELECT COUNT(*) AS count FROM users WHERE username ='" + username + "' AND password='"+ password + "';";
    MySqlCommand cmd = new MySqlCommand(sql, conn);

    MySqlDataReader rdr = cmd.ExecuteReader();
Alexei Levenkov
  • 98,904
  • 14
  • 127
  • 179
Sherpa11
  • 153
  • 1
  • 1
  • 14
  • 2
    Side note, please don't store passwords at all, store hashes of the password along with a salt. If you can change this, do it now. – Trevor Mar 07 '22 at 15:03
  • 1
    what have you [***tried yourself***](https://idownvotedbecau.se/noattempt/) so far? what problems did you encounter? what have you researched? please **edit** your question to include more information. i recommend [taking the tour](https://stackoverflow.com/tour), as well as reading [how to ask a good question](https://stackoverflow.com/help/how-to-ask) and [what's on topic](https://stackoverflow.com/help/on-topic). stackoverflow is ***no*** free code writing service, and information about how to use parameterised queries are ***very plentiful*** if you look for it. – Franz Gleichmann Mar 07 '22 at 15:04
  • 1
    @fubo I strongly believe the DV'ing wasn't because there's *more than one way to solve this*, rather the OP didn't show any research on this (just my thought). – Trevor Mar 07 '22 at 15:18
  • @Trevor but he already has working code, he wants to improve – fubo Mar 07 '22 at 15:19
  • That's fine, I would consider the advice that Franz suggested above. Again, that was my thought as to why the DV's... Also it may be appropriate to head over to [CodeReview](https://codereview.stackexchange.com/) and post there as well. – Trevor Mar 07 '22 at 15:21

2 Answers2

1
string sql = "SELECT COUNT(*) AS count FROM users WHERE username = @username  AND password= @password";
using (MySqlCommand cmd = new MySqlCommand(sql, conn)
{
    cmd.Parameters.Add("@username", MySqlDbType.VarChar).Value =  username;
    cmd.Parameters.Add("@password", MySqlDbType.VarChar).Value =  password;
    int result = (int)cmd.ExecuteScalar();
}
fubo
  • 44,811
  • 17
  • 103
  • 137
  • 2
    `AddWithValue` will infer the datatype... It's best to call `Add` with the data type, length etc... Also worth noting (mainly for OP), not related to the post, but a reader doesn't need to be used, [ExecuteScalar](https://dev.mysql.com/doc/dev/connector-net/6.10/html/M_MySql_Data_MySqlClient_MySqlCommand_ExecuteScalar.htm) would be a good choice for this. – Trevor Mar 07 '22 at 15:08
  • @Trevor I've changed this - do you have a reference for your claim? – fubo Mar 07 '22 at 15:12
  • 1
    Sure, here are a few: https://www.dbdelta.com/addwithvalue-is-evil/#:~:text=The%20guesses%20AddWithValue%20makes%20can,converted%20to%20the%20higher%20type. or https://blogs.msmvps.com/jcoehoorn/blog/2014/05/12/can-we-stop-using-addwithvalue-already/ A simple test case can be set up as well to see this. – Trevor Mar 07 '22 at 15:15
  • @Trevor Matters a lot less on MySQL as compared to SQL Server – Charlieface Mar 07 '22 at 16:04
  • Trying this without luck. – Sherpa11 Mar 07 '22 at 16:42
  • @ShaneP what was the error? – fubo Mar 08 '22 at 06:02
-1

Taken from:

https://csharp-station.com/Tutorial/AdoDotNet/Lesson06

"

class ParamDemo
{
    static void Main()
    {
        // conn and reader declared outside try
        // block for visibility in finally block
        SqlConnection conn   = null;
        SqlDataReader reader = null;

        string inputCity = "London";
        try
        {
            // instantiate and open connection
            conn =  new 
                SqlConnection("Server=(local);DataBase=Northwind;Integrated Security=SSPI");
            conn.Open();

            // don't ever do this
            // SqlCommand cmd = new SqlCommand(
            // "select * from Customers where city = '" + inputCity + "'";

            // 1. declare command object with parameter
            SqlCommand cmd = new SqlCommand(
                "select * from Customers where city = @City", conn);

            // 2. define parameters used in command object
            SqlParameter param  = new SqlParameter();
            param.ParameterName = "@City";
            param.Value         = inputCity;

            // 3. add new parameter to command object
            cmd.Parameters.Add(param);

            // get data stream
            reader = cmd.ExecuteReader();

            // write each record
            while(reader.Read())
            {
                Console.WriteLine("{0}, {1}", 
                    reader["CompanyName"], 
                    reader["ContactName"]);
            }
        }
        finally
        {
            // close reader
            if (reader != null)
            {
                reader.Close();
            }

            // close connection
            if (conn != null)
            {
                conn.Close();
            }
        }
    }
}

"

Morten Bork
  • 1,413
  • 11
  • 23