Search code examples
c#mysqloledb

OleDB / MySQL Parameter Adding

I have a question about adding parameters to a command (MySQL or OleDB, I currently use both) to avoid SQL injection.

This hard coded query works absolutely fine, aside from the open vulnerability to injection;

var queryString = string.Format("SELECT COUNT(*) FROM employs WHERE em_netname = '"+username+"' AND em_password = '"+password+"'");

However, after modifying the query so that I add parameters rather than leave the vulnerability open, it doesn't work. This is how I do it;

var queryString = string.Format("SELECT COUNT(*) FROM employs WHERE em_netname = @username AND em_password = @password");
OleDbCommand dbfQuery = new OleDbCommand(queryString, dbfCon);
dbfQuery.Parameters.Add("@username", OleDbType.Char).Value = username;
dbfQuery.Parameters.Add("@password", OleDbType.Char).Value = password;

Could somebody please give me an explanation as to why this is not working? The first query returns 1 from count, the second returns 0 (it should return 1).

EDIT: For clarity by "doesn't work" I mean that the first statement returns a column count of 1 i.e. there is a user, the query does work. The second statement, with exactly the same username and password entered returns a 0, i.e. although a username and password combination does exist (proven by the first statement) the query is not working correctly.

EDIT 2: Entire class code posted;

public static bool AuthenticateUser(string username, string password)
    {
        var constr = ConfigurationManager.ConnectionStrings["dbfString"].ConnectionString;           
        using (OleDbConnection dbfCon = new OleDbConnection(constr))
        {
            try
            {
                dbfCon.Open();
                var queryString = string.Format("SELECT COUNT(*) FROM employs WHERE em_netname = @username AND em_password = @password");
                OleDbCommand dbfQuery = new OleDbCommand(queryString, dbfCon);
                dbfQuery.Parameters.Add("@username", OleDbType.Char).Value = username;
                dbfQuery.Parameters.Add("@password", OleDbType.Char).Value = password;
                MessageBox.Show("Query: " + queryString);
                int numOfColumns = Convert.ToInt32(dbfQuery.ExecuteScalar());
                MessageBox.Show(numOfColumns.ToString());
                if (numOfColumns == 1)
                {
                    return true;
                }
                else
                {
                    return false;
                }
            }
            catch (OleDbException)
            {
                throw;
            }
        }
    }
Solution

  • According to MSDN the OleDbCommand does not support named parameters. Try to use ? instead.

    The OLE DB .NET Provider does not support named parameters for passing parameters to an SQL statement or a stored procedure called by an OleDbCommand when CommandType is set to Text. In this case, the question mark (?) placeholder must be used. For example:

    SELECT * FROM Customers WHERE CustomerID = ?

    Therefore, the order in which OleDbParameter objects are added to the OleDbParameterCollection must directly correspond to the position of the question mark placeholder for the parameter in the command text.