Your code is vulnerable to
SQL Injection[
^].
NEVER use string concatenation to build a SQL query.
ALWAYS use a parameterized query.
You should also wrap your command and connection objects in
using
blocks to ensure they're always disposed of properly.
And you'll need to deal with cases where your command returns
null
:
const string sql3 = "SELECT Task FROM Todaywork WHERE Username = @Username AND Active = '1'";
using (SqlConnection con3 = new SqlConnection(ConfigurationManager.ConnectionStrings["Conec"].ConnectionString))
using (SqlCommand cmd3 = new SqlCommand(sql3, con3))
{
cmd3.Parameters.AddWithValue("@Username", Login.recuser);
con3.Open();
object result = cmd3.ExecuteScalar();
if (result != null && !Convert.IsDBNull(result))
{
checkedListBoxongoing.SelectedItem = Convert.ToString(result);
}
}
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[
^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[
^]
Query Parameterization Cheat Sheet | OWASP[
^]