Dim MyDS As New DataSet
Dim conns As String = "DataSource =ISAAC;Initial Catalog=SETH;Integrated Security=True"
Dim Conn As New SqlConnection
Conn.ConnectionString = conns
Dim Cmd As SqlDataAdapter
Cmd = New SqlDataAdapter("select * from login where username='" & Trim(C1TextBox1.Text ) & "' and password='" & TRIM(C1TextBox2.Text)& "'", Conn)
Cmd.Fill(MyDS, "login")
Dim table As DataTable = MyDS.Tables("login")
Dim i As Integer
Dim j As Integer
if ( table.Rows.Count= 1)
Form1.Show()
Me.Close()
Else
MsgBox("Incorrect Login")
C1TextBox1.Focus ()
End If
-----------------------------------------------------------------------------------------------------
As a side note:
You sql statement is susceptible to SQL
injection. Unless you are doing some sort of sanitizing on your textbox
input, you should consider using
For instance, if I were to type
x' or 1 = 1; --
in your textbox, I have just
You should use command parameters as demonstrated in the snippet.
-----------------------------------------------------------------------------------------------------
Dim adapter As System.Data.SqlClient.SqlDataAdapter
Dim cmd As New System.Data.SqlClient.SqlCommand("Select * from login where username = @user and password = @pass")
cmd.Parameters.Add(New System.Data.SqlClient.SqlParameter("@user", ClTextBox1.Text.Trim()))
cmd.Parameters.Add(New System.Data.SqlClient.SqlParameter("@pass", ClTextBox2.Text.Trim()))
adapter = New System.Data.SqlClient.SqlDataAdapter(cmd)
-----------------------------------------------------------------------------------------------------
0 ความคิดเห็น:
แสดงความคิดเห็น