getting error in color authentication password

Question

I am trying to create color password but i am getting this error

System.Data.SqlClient.SqlException was unhandled by user code Incorrect syntax near '='.

my code is this and please help me .... thnxx in advance :)

protected void Button_Login_Click(object sender, EventArgs e)
{

    SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["RegistrationConnectionString"].ConnectionString);
    conn.Open();
    string checkuser = "select count(*) from UserData where Username ='" + TextBoxUserName.Text + "'";
    SqlCommand com = new SqlCommand(checkuser, conn);
    int temp = Convert.ToInt32(com.ExecuteScalar().ToString());
    conn.Close();
    if (temp == 1)
    {
        conn.Open();
        string checkPasswordQuery = "select Password from UserData where Username ='" + TextBoxUserName.Text + "'";
        SqlCommand passComm = new SqlCommand(checkPasswordQuery, conn);
        string password = passComm.ExecuteScalar().ToString().Replace(" ","");

        if (password == TextBoxPassword.Text)
        {

            Response.Write("Password is correct");


            string checkcolorQuery = "select Color1,Color2,Color3,Color4 from Username='" + TextBoxUserName.Text + "'";
            SqlCommand colorCom = new SqlCommand(checkcolorQuery, conn);

            string color = colorCom.ExecuteScalar().ToString(); // **getting error here**
            if (color == TextBoxColor1.Text && color == TextBoxColor2.Text && color == TextBoxColor3.Text && color == TextBoxColor4.Text) 

            {
              //  Session["New"] = TextBoxUserName.Text;
                Response.Write("Color Priority is correct");
                Response.Redirect("User.aspx");
            }

            else
            {
                Response.Write("Color Priority is  not correct");
            }

        }
        else
        {
            Response.Write("Password is  not correct");
        }


    }
  else
    {
        Response.Write("Username is not correct");
    }

}
}

Answer 1

Your query is currently

select Color1,Color2,Color3,Color4 from Username='foo'

Surely you need it to be something like

select Color1,Color2,Color3,Color4 from tablename where Username='foo'

You should also change the way you are executing your SQL. Use something like this to execute your SQL.

    public static void ExecuteSQL(string sqlCommand, Dictionary<string,object> parameters )
    {
        using (SqlConnection dbConn = new SqlConnection(GetConnectionString()))
        {
            dbConn.Open();
            using (SqlCommand dbCommand = new SqlCommand(sqlCommand, dbConn))
            {
                if (parameters != null)
                {
                    foreach (var parameter in parameters)
                    {
                        dbCommand.Parameters.AddWithValue(parameter.Key, parameter.Value);
                    }
                }
                dbCommand.ExecuteScalar();
            }
            dbConn.Close();
        }
    }

So in your code you'd just have

 string checkuser = "select count(*) from UserData where Username =@username";
 var parameters = new Dictionary<string, object>();
 parameters.Add("@username", TextBoxUserName.Text);
 ExecuteSQL(checkuser, parameters);