Jump to content
  • Advertisement
Sign in to follow this  
Afr0m@n

SQL Server Express 2005 confusing...

This topic is 4526 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Ok, i've downloaded SQL Server 2005 Express + Database management tool, and it's confusing as #¤%(¤%(/ ! I've created a table with two rows, which are named "AccountName" and "AccountPassword" respectively. What I want to achieve for starters is to be able to create accounts manually but also have a function of sorts that creates accounts automatically based on that table. I also need to be able to query the database from C# to figure out if an account exists and whatnot. I've searched for tutorials about using the database management tool, but I can't find anything that seems to describe what I want to do. Can someone please help?

Share this post


Link to post
Share on other sites
Advertisement
*shrug* Something like this I guess

SqlConnection conn = new SqlConnection([ConnectionString]);

public bool Login(string name, string pass)
{
SqlCommand cmd = new SqlCommand("select * from Account where AccountName=' + name + "' and AccountPassword = '" + pass +"'", conn);
Object result = cmd.ExecuteScalar();
if (res != null)
return true;
else
return false;
}

Share this post


Link to post
Share on other sites
Quote:
Original post by CadetUmfer

SqlCommand cmd = new SqlCommand("select * from Account where AccountName=' + name + "' and AccountPassword = '" + pass +"'", conn);
}


Using the plus operator to tack on the variables is a bad thing (SQL Injection Attacks may be easier to perform), plus it makes the code really confusing if there are many variables being passed in. You should use SqlParameters.


public bool Login(string name, string pass)
{
SqlCommand cmd = new SqlCommand("select * from Account where AccountName=@UID and AccountPassword=@PWD", conn);

cmd.Parameters.Add(new SqlParameter("@UID", name));
cmd.Parameters.Add(new SqlParameter("@PWD", pass));

Object result = cmd.ExecuteScalar();

if (result!= null)
return true;
else
return false;
}


See how much cleaner that makes the SQL string look. Now you can even define the string as an constant if you may need to use it elsewhere in you code.

Bill

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

We are the game development community.

Whether you are an indie, hobbyist, AAA developer, or just trying to learn, GameDev.net is the place for you to learn, share, and connect with the games industry. Learn more About Us or sign up!

Sign me up!