5

I am just starting work with ASP.NET C# and my database is SQL Server. I am trying to write a query where I want to use with prepared statement.

This is a query that allowing log in to user:

    SqlParameter UserName = new SqlParameter("@user", SqlDbType.NVarChar, 30);
    SqlParameter Password = new SqlParameter("@pass", SqlDbType.NVarChar, 20);

    UserName.Value = user.ToLower();
    Password.Value = pass;

    SqlCommand command = new SqlCommand(null, conn);
    command.Parameters.Add(UserName);
    command.Parameters.Add(Password);
    command.CommandText = "SELECT * FROM table_users WHERE user_name = '@user' AND password = '@pass';";

    command.Prepare();
    SqlDataReader reader = command.ExecuteReader();

    bool tmp = reader.HasRows;

tmp variable value always FALSE, even when I enter exist user with correct password.

If i just remove parameters and write the query this way:

command.CommandText = "SELECT * FROM table_users WHERE user_name = '"+user+"' AND password = '"+ pass+"';";

tmp variable get value TRUE for exists users.

I tried to use this syntax for INSERT INTO queries and it works correctly.

I already read all the suggestions about changing @ to ? and it doesn't work. I had an error:

Incorrect syntax near '?'. Statement(s) could not be prepared.

Help me please, Thanks!

Improve this question

1 Answer 1

Reset to default
9

You are looking for the literals '@user' and '@pass', rather than the value from the parameter; use:

 command.CommandText =
      "SELECT * FROM table_users WHERE user_name = @user AND password = @pass;";

instead. Then look into "salted hashes", and why you should never actually store passwords.

BTW, calling Prepare() here isn't helping here. I'm also going to plug dapper-dot-net (free/OSS), which would make this entire thing just:

bool authenticated = conn.Query(
    @"select 1 from table_users where user_name = @user and password = @pass",
    new {user = user.ToLower(), pass} ).Any();

or, if you want the record:

var tableUser = conn.Query<TableUser>(
    @"select * from table_users where user_name = @user and password = @pass",
    new {user = user.ToLower(), pass} ).SingleOrDefault();
Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

Thank you very much, now its work. I'll check the "salted hashes".
@MarkGravell - "BTW, calling Prepare() here isn't helping here." Could you elaborate on why using a prepared statement isn't helping in this usage?
@Jesse because most databases these days don't care: they have automatic query plan caching on ad-hoc queries that makes any difference basically unmeasurable
@MarcGravell can i get the query in a string from dapper like "select * from table_users where user_name = user12 and password = 123" with values
i need the query with parameter's values in string
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.