Start by fixing the
SQL Injection[
^] vulnerability in your code.
Private Function CreateConnection() As OleDb.OleDbConnection
Return New OleDb.OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source=|DataDirectory|\DBCaseStudy.mdb;Persist Security Info=False")
End Function
Private Sub btnRegCreate_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnRegCreate.Click
Using conn As OleDb.OleDbConnection = CreateConnection()
Using comd As New OleDb.OleDbCommand("INSERT INTO tblAdmins ([ID], [Firstname], [Lastname], [Username], [Password] VALUES (@ID, @Firstname, @Lastname, @Username, @Password)", conn)
comd.Parameters.AddWithValue("@ID", txtRegID.Text)
comd.Parameters.AddWithValue("@Firstname", txtRegFirst.Text)
comd.Parameters.AddWithValue("@Lastname", txtRegLast.Text)
comd.Parameters.AddWithValue("@Username", txtRegUsername.Text)
comd.Parameters.AddWithValue("@Password", txtRegPass.Text)
conn.Open()
Try
comd.ExecuteNonQuery()
MsgBox("Record Appended", MsgBoxStyle.Information, "Successfully Added!")
Catch ex As Exception
MsgBox(ex.ToString())
End Try
End Using
End Using
End Sub
Then, you'll need to fix your password storage. You're currently storing passwords in plain text, which is an
extremely bad idea. You should only ever store a salted hash of the password, using a unique salt per record.
Secure Password Authentication Explained Simply[
^]
Salted Password Hashing - Doing it Right[
^]
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]