Sharing the goodness…
Beth Massi is a Senior Program Manager on the Visual Studio team at Microsoft and a community champion for .NET developers. Learn more about Beth.
More videos »
I've been asked by a couple readers on how to pass parameters into a SQL statement to your database using the TableAdapters. I actually created a video on how to do this in the context of a search query (play video | download video | entire series). It's really easy to do this using the TableAdapter Query Configuration Wizard. Let's create a quick login form for an example.
I've got a table called Users in my database and I've created a Dataset called UsersDataset by opening up the Datasources window and adding a new datasource to my database. Then I created a form called LoginForm and from the Toolbox I dragged some labels and textboxes for the entry and a couple buttons, OK and Cancel, onto the form. I then set the PasswordChar property on the PasswordTextbox to "*". This indicates that the textbox should display this character instead of what the user types, but the value of the Text property will still be what the user enters.
(By the way, this example does NOT demonstrate a secure way of writing login forms. We'll be passing what the user enters directly into the database which stores the password in clear text. It is NOT safe practice to store clear text passwords in your database. I'll post a follow-up that talks about techniques we can use to protect users' passwords, especially if we need to store them in a database. For now, let's concentrate on how we add parameterized queries to our TableAdapters. UPDATE: Here's the follow up.)
Now at this point I build the project and in the WindowsApplication1 Components section at the top of the Toolbox I can now see the UsersDataset and the UsersTableAdapter listed (it's important that you build your project to get the components listed in the Toolbox). I drag the UsersTableAdapter onto the LoginForm which creates a component in the tray named UsersTableAdapter1.
So now that we've got that all set up, we're going to add a parameterized query to the UsersTableAdapter. First open up the UsersDataset and right-click on the TableAdapter in the designer and choose "Add Query".
This will open up the TableAdapter Query Configuration Wizard. First it asks you to choose a command type. Keep the default selected as "Use SQL Statement" and then click Next. Next it asks you to choose a query type. We're going to select the second option, to create a SELECT statement that returns a single value, not a result set.
Next we'll write the parameterized query as "SELECT COUNT(*) FROM Users WHERE UserName = @UserName AND Password = @Password". Then click Next and name the function "Login". This will create a TableAdapter method called Login that accepts a UserName and Password as a parameter and returns an Object which will be an Integer in our case since we're specifying to return the COUNT(*) of the rows that match the WHERE clause.
Now back to the LoginForm, we can double-click on the OK button to add a Click event handler.
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) _
If CType(Me.UsersTableAdapter1.Login(Me.UserNameTextBox.Text, _
Me.PasswordTextBox.Text), Integer) > 0 Then
MsgBox("Welcome to my application!")
MsgBox("Invalid username or password.")
Catch ex As Exception
Now when we run this example and enter a user name and password that is contained in the database table Users, we get the greeting message otherwise we get the message that our user name or password is invalid.
As you can see it's really easy to add parameterized queries to your TableAdapters using the wizards. There's even a simple query builder you can use to help you write your queries and test them out before they are generated on the TableAdapter. In a follow up post I'll show you how to add secure password storage to your application using hashing and encryption.
You're the best one.
Thanks from a noob....
Your videos are great! Make a thousand more. After programming in unix for the last several years. I feel like I have been in a desert and suddenly came across a well of water.
Hi i need your help i have this error " Error 1 'login' no es un miembro de 'WindowsApplication1.UniversidadDataSetTableAdapters.usuariosTableAdapter'. C:\Documents and Settings\Käsar\Mis documentos\Visual Studio 2005\Projects\Cesar_University\Cesar_University\login.vb 5 22 Cesar_University"
What is Login??????If CType(Me.UsuariosTableAdapter1.login(
Creating parameterized queries is one of the major countermeasures to SQL Injection attacks (not the
The Login method is generated on the TableAdapter when you name the function "Login" after you enter your parameterized query in the wizard.
In my first post on parameterized queries I built a simple login form that really was a contrived example
I've been heads down this week (re)learning an older technology -- Visual Basic 6! With all the things
Beth Great Job!
In your first video you creat a stored procedures.
My VS 2005 don´t create in toolbox options for insert update and delete ?
What is wrong?
São Paulo - Brasil whait your visit.
Stored procedures are not created automatically for you. I wrote the stored procedures for the video and put them as snippets in the toolbox. You can create code snippets by selecting text in the code editor and then dragging that onto the toolbox. Then you can use that snippet of code again by dragging from the toolbox into the editor.
I cannot locate WindowsApplication1 Components inthe ToolBox
I am Using VB 2005 Professional
THanks IN Advance
Make sure you build your project first.
"(it's important that you build your project to get the components listed in the Toolbox)"
A small variation on your project, I would like the
user to enter values into two text boxes and use them
as range parameters in the dataset and return those records between the two values. How would I do that?
You can add as many parameters as you like to the query. Just like I showed above, when you add the @Parameter1 to the SQL query then it will pick it up as a parameter. If you are using Access (the OleDb client) then the parameter placeholder is a question mark (?). All you need to do is write the query that selects the range of values you want. For information on writing T-SQL queries check out SQL Server Books Online: http://msdn2.microsoft.com/en-us/library/ms130214.aspx
I am Lost.
now after connecting My form to my DataBase, i can see an Application Components But it is connecting me to the data Base that i have created NOT the username/password.