Code: Select all
private void btnLogin_Click(object sender, EventArgs e)
{
try
{
if (login_check(txtUsername.Text.ToString(), MD5Hash(txtPassword.Text).ToString()) > 0)
MessageBox.Show("Login Sucessful!", "Success", MessageBoxButtons.OK, MessageBoxIcon.Information);
else
{
MessageBox.Show("Invalid Username or Password!", "Login Failed", MessageBoxButtons.OK, MessageBoxIcon.Error);
txtUsername.Clear();
txtPassword.Clear();
txtUsername.Focus();
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
}
private int login_check(string username, string password)
{
username.Trim();
password.Trim();
if (conn.State == ConnectionState.Closed)
conn.Open();
string login = "SELECT * FROM db_login WHERE username = '" + username + "' and password = '" + password + "'";
comm = new SqlCommand(login, conn);
if (comm.ExecuteScalar() != null)
return 1;
else
return 0;
}
Code: Select all
' or '1'='1' -- '
I have heard that if you use SqlParameters, SQL injection can be prevented.
EDIT:
One way I can prevent this is by using textbox validation which will allow only alphabets to be entered (for example, on keypress event). What other strategy can be applied?