Menu
I keep getting an error that I don't understand.
Must declare the scalar variable "@varname"
My aim is to create a login page that uses 2 textboxes and a button, where it checks if the user exits based on the information stored in a SQL database.
This is where I think the problem is coming from:
private bool DBConnection(string userName, string password)
{
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
//string cmdString = ("SELECT UserName, Password FROM Users WHERE UserName ='" + userName +
// "'AND Password ='" + password + "'"); //REMOVED AS THIS IS PRONE TO SQL INJECTIONS
string cmdString = ("SELECT * FROM Users WHERE UserName = @uname AND Password = @pw");
SqlCommand cmd = new SqlCommand(cmdString, conn);
cmd.Parameters.Add("uname", SqlDbType.VarChar).Value = userName;
cmd.Parameters.Add("pw", SqlDbType.VarChar).Value = password;
DataSet loginCredentials = new DataSet();
SqlDataAdapter dataAdapter;
try
{
if (conn.State.Equals(ConnectionState.Closed))
{
conn.Open();
dataAdapter = new SqlDataAdapter(cmdString, conn);
dataAdapter.Fill(loginCredentials);
conn.Close();
if (loginCredentials != null)
{
if (loginCredentials.Tables[0].Rows.Count > 0)
{
return true;
}
else
{
lblMessage.Text = "Incorrect Username or Password";
lblMessage.Visible = true;
}
}
}
}
catch (Exception err)
{
lblMessage.Text = err.Message.ToString() + " Error connecting to the Database // " + cmd.Parameters.Count;
lblMessage.Visible = true;
return false;
}
return false;
}
specifically where dataAdapter.Fill(loginCredentials); is being executed.
The commented-out statement works successfully in logging in a user with the correct username and password, but as far as I know is not secure, as it's vulnerable to SQL injections and this is why I'm trying to parameterize the SQL statement.
error screenshot below:
768
A scalar variable declaration specifies the name and data type of the variable and allocates storage for it. The declaration can also assign an initial value and impose the NOT NULL constraint. You reference a scalar variable by its name.
Scalar variables are used to represent individual fixed-size data objects, such as integers and pointers. Scalar variables can also be used for fixed-size objects that are composed of one or more primitive or composite types.
You should pass the sqlcommand to the dataAdapter because in your case the sqlcommand (cmd) has more information than mere commandtext and connectionstring. Your code may look like the following:
private bool DBConnection(string userName, string password)
{
SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
//string cmdString = ("SELECT UserName, Password FROM Users WHERE UserName ='" + userName +
// "'AND Password ='" + password + "'"); //REMOVED AS THIS IS PRONE TO SQL INJECTIONS
string cmdString = ("SELECT * FROM Users WHERE UserName = @uname AND Password = @pw");
SqlCommand cmd = new SqlCommand(cmdString, conn);
cmd.Parameters.Add("uname", SqlDbType.VarChar).Value = userName;
cmd.Parameters.Add("pw", SqlDbType.VarChar).Value = password;
DataSet loginCredentials = new DataSet();
SqlDataAdapter dataAdapter;
try
{
if (conn.State.Equals(ConnectionState.Closed))
{
conn.Open();
dataAdapter = new SqlDataAdapter(cmd);
dataAdapter.Fill(loginCredentials);
conn.Close();
if (loginCredentials != null)
{
if (loginCredentials.Tables[0].Rows.Count > 0)
{
return true;
}
else
{
lblMessage.Text = "Incorrect Username or Password";
lblMessage.Visible = true;
}
}
}
}
catch (Exception err)
{
lblMessage.Text = err.Message.ToString() + " Error connecting to the Database // " + cmd.Parameters.Count;
lblMessage.Visible = true;
return false;
}
return false;
}
cmd.Parameters.Add("@uname", SqlDbType.VarChar).Value = userName;
Note the @ in front of uname.
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
