[RESOLVED] Parameterized query
I have this code I would like to change to a parameterized query.
Is this what I do?Code:public String GetLoginRecordID(String User, String Password, String result,String connString) { String strCmd = "SELECT RecordID FROM SystemLogins WHERE (UserID = '" + User + "')" + " AND (UserPassword = '" + Password + "') AND (Result = 'VALID') ORDER BY RecordID;"; Int32 intRecID = 0; try { using (OleDbConnection oleConn = new OleDbConnection(connString)) { using (OleDbCommand oleComm = new OleDbCommand(strCmd, oleConn)) { oleConn.Open(); using (OleDbDataReader reader = oleComm.ExecuteReader()) { while (reader.Read()) { intRecID = reader.GetInt32(0); return intRecID.ToString(); } } } } return intRecID.ToString(); } catch (Exception ex) { return intRecID.ToString(); } }
Code:public String GetLoginRecordID(String User, String Password, String result,String connString) { String strCmd = "SELECT RecordID FROM SystemLogins WHERE (UserID = ?)" + " AND (UserPassword = ?) AND (Result = 'VALID') ORDER BY RecordID;"; Int32 intRecID = 0; try { using (OleDbConnection oleConn = new OleDbConnection(connString)) { using (OleDbCommand oleComm = new OleDbCommand(strCmd, oleConn)) { //change to this? oleComm.Parameters.Add(User); oleComm.Parameters.Add(Password); oleConn.Open(); using (OleDbDataReader reader = oleComm.ExecuteReader()) { while (reader.Read()) { intRecID = reader.GetInt32(0); return intRecID.ToString(); } } } } return intRecID.ToString(); } catch (Exception ex) { return intRecID.ToString(); } }
Reply With Quote