How can I get a username and password from my database in C#?

Question

I have the following code in my btn_click event:

Sqlconnection con = new Sqlconnection("server=.;database=bss;user id=ab;pwd=ab");
con.open();
SqlCommand cmd = new Sqlcommand("select * from login where username='" 
+ txt4name.Text + "' and pwd='" + txt4pwd.Text + "'", con);

SqlDataReader reader = cmd.execute Reader();

Where login is the table and username and pwd are its fields. After this code all the values are stored in the reader object. I want to store username and pwd in the separate variables.

How can I accomplish this?

Answer 1

In general, when accessing your DB, you should be using something similar to this instead to eliminate SQL injection vulnerabilities:

using (SqlCommand myCommand = new SqlCommand("SELECT * FROM USERS WHERE USERNAME=@username AND PASSWORD=HASHBYTES('SHA1', @password)", myConnection))
    {                    
        myCommand.Parameters.AddWithValue("@username", user);
        myCommand.Parameters.AddWithValue("@password", pass);

        myConnection.Open();
        SqlDataReader myReader = myCommand.ExecuteReader())
        ...................
    }

But more realistically to store credentials, you should be using something like the Membership system instead of rolling your own.