SQL Server Express 2005 confusing...
Ok, i've downloaded SQL Server 2005 Express + Database management tool, and it's confusing as #¤%(¤%(/ ! I've created a table with two rows, which are named "AccountName" and "AccountPassword" respectively. What I want to achieve for starters is to be able to create accounts manually but also have a function of sorts that creates accounts automatically based on that table. I also need to be able to query the database from C# to figure out if an account exists and whatnot. I've searched for tutorials about using the database management tool, but I can't find anything that seems to describe what I want to do. Can someone please help?
*shrug* Something like this I guess
SqlConnection conn = new SqlConnection([ConnectionString]);public bool Login(string name, string pass){ SqlCommand cmd = new SqlCommand("select * from Account where AccountName=' + name + "' and AccountPassword = '" + pass +"'", conn); Object result = cmd.ExecuteScalar(); if (res != null) return true; else return false;}
Quote:Original post by CadetUmferSqlCommand cmd = new SqlCommand("select * from Account where AccountName=' + name + "' and AccountPassword = '" + pass +"'", conn);}
Using the plus operator to tack on the variables is a bad thing (SQL Injection Attacks may be easier to perform), plus it makes the code really confusing if there are many variables being passed in. You should use SqlParameters.
public bool Login(string name, string pass){ SqlCommand cmd = new SqlCommand("select * from Account where AccountName=@UID and AccountPassword=@PWD", conn); cmd.Parameters.Add(new SqlParameter("@UID", name)); cmd.Parameters.Add(new SqlParameter("@PWD", pass)); Object result = cmd.ExecuteScalar(); if (result!= null) return true; else return false;}
See how much cleaner that makes the SQL string look. Now you can even define the string as an constant if you may need to use it elsewhere in you code.
Bill
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement