I am just starting work with ASP.NET C# and my database is SQL Server. I am trying to write a query where I want to use with prepared statement.
This is a query that allowing log in to user:
SqlParameter UserName = new SqlParameter("@user", SqlDbType.NVarChar, 30);
SqlParameter Password = new SqlParameter("@pass", SqlDbType.NVarChar, 20);
UserName.Value = user.ToLower();
Password.Value = pass;
SqlCommand command = new SqlCommand(null, conn);
command.Parameters.Add(UserName);
command.Parameters.Add(Password);
command.CommandText = "SELECT * FROM table_users WHERE user_name = '@user' AND password = '@pass';";
command.Prepare();
SqlDataReader reader = command.ExecuteReader();
bool tmp = reader.HasRows;
tmp
variable value always FALSE
, even when I enter exist user with correct password.
If i just remove parameters and write the query this way:
command.CommandText = "SELECT * FROM table_users WHERE user_name = '"+user+"' AND password = '"+ pass+"';";
tmp
variable get value TRUE
for exists users.
I tried to use this syntax for INSERT INTO
queries and it works correctly.
I already read all the suggestions about changing @
to ?
and it doesn't work.
I had an error:
Incorrect syntax near '?'. Statement(s) could not be prepared.
Help me please, Thanks!
Prepared statements are a feature of the programming language used to communicate with the database. For example, C#, Java, and PHP provide abstractions for sending statements to a database. These abstractions can either be literal queries created via string concatenation of variables (bad!) or prepared statements.
A PreparedStatement is a pre-compiled SQL statement. It is a subinterface of Statement. Prepared Statement objects have some useful additional features than Statement objects. Instead of hard coding queries, PreparedStatement object provides a feature to execute a parameterized query.
A prepared statement is a feature used to execute the same (or similar) SQL statements repeatedly with high efficiency. Prepared statements basically work like this: Prepare: An SQL statement template is created and sent to the database. Certain values are left unspecified, called parameters (labeled "?").
Prepared statements offer two major benefits: The query only needs to be parsed (or prepared) once, but can be executed multiple times with the same or different parameters. When the query is prepared, the database will analyze, compile and optimize its plan for executing the query.
You are looking for the literals '@user'
and '@pass'
, rather than the value from the parameter; use:
command.CommandText =
"SELECT * FROM table_users WHERE user_name = @user AND password = @pass;";
instead. Then look into "salted hashes", and why you should never actually store passwords.
BTW, calling Prepare()
here isn't helping here. I'm also going to plug dapper-dot-net (free/OSS), which would make this entire thing just:
bool authenticated = conn.Query(
@"select 1 from table_users where user_name = @user and password = @pass",
new {user = user.ToLower(), pass} ).Any();
or, if you want the record:
var tableUser = conn.Query<TableUser>(
@"select * from table_users where user_name = @user and password = @pass",
new {user = user.ToLower(), pass} ).SingleOrDefault();
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With