I have this code

Dim con = New SqlConnection("Data Source=.\SQLEXPRESS;AttachDbFilename=C:\Users\Danial\documents\visual studio 2010\Projects\ESI_PF_Payroll_V1\ESI_PF_Payroll_V1\Pay.mdf;Integrated Security=True;Connect Timeout=30;User Instance=True")
con.Open() 
cmd.CommandText = "SELECT Firstname,Lastname FROM Employee where Firstname = @Firstname and Lastname = @Lastname"
cmd.Parameters.Add(New SqlParameter("@Firstname", TextBox1.Text)) .Value = TextBox1.Text
cmd.Parameters.Add(New SqlParameter("@Lastname", Lname_txt.Text)) .Value = Lname_txt.Text
dr = cmd.ExecuteReader
While dr.Read
    Label4.Text = dr(0)
End While
con.Close()
cmd.Connection = con
adaptor.SelectCommand = cmd
con.Open()
adaptor.Fill(dataset, "O")
Dim count = dataset.Tables(0).Rows.Count
If count > 0 Then
    MessageBox.Show("This Employee Does Exist!")

It does not diffrenciate between
Firstname = some name and Firstname = somename
Lastname = Some Last Name and Lastname = somelastname

sometimes it wors correct like
Firstname = Danial
but sometimes I do like
Firstname = Daniall it also takes it as a yes
why is this happening?

Edited 3 Years Ago by Reverend Jim: Fixed formatting

First of all, you should let SQL Server manage the location of your database and use the following connection string

Dim con = New SqlConnection("Server=.\SQLEXPRESS;Database=Pay;Trusted_Connection=yes;")

assuming your database name is Pay. Then use

con.Open()
cmd.CommandText = "SELECT Firstname,Lastname FROM Employee where Firstname = @Firstname and Lastname = @Lastname"
cmd.Parameters.Add(New SqlParameter("@Firstname", TextBox1.Text)) .Value = TextBox1.Text
cmd.Parameters.Add(New SqlParameter("@Lastname", Lname_txt.Text)) .Value = Lname_txt.Text
dr = cmd.ExecuteReader

If dr.HasRows Then
    While dr.Read
        Label4.Text = dr(0)
    End While
    MessageBox.Show("This Employee Does Exist!")
Else
    MessageBox.Show("This Employee Does Not Exist!")

It is possible that both Danial and Daniall exist in the table. I tried your code here and it returns the expected results. One more note - you should also do dr.Close() when you are done reading.

And to answer that actual question - using the query as you have set it up (with parameters) is good protection against SQL injection.

Ok,I have only limited number of entries in my database so I know that only Danial Exists not Daniall,and thank you about the connection string correction.

With the connection string you suggested .
here is the code

Dim con = New SqlConnection("Server=.\SQLEXPRESS;Database=Pay;Trusted_Connection=yes;")
                con.Open()
                cmd = New SqlCommand
                cmd.Connection = con
                cmd.CommandText = "SELECT Firstname,Lastname FROM Employee where Firstname = @Firstname and Lastname = @Lastname"
                cmd.Parameters.Add(New SqlParameter("@Firstname", TextBox1.Text)).Value = TextBox1.Text
                cmd.Parameters.Add(New SqlParameter("@Lastname", Lname_txt.Text)).Value = Lname_txt.Text

                cmd.CommandText = "SELECT Companyname FROM Employee where Firstname = @Firstname"
                cmd.Parameters.Add(New SqlParameter("@Firstname", TextBox1.Text)).Value = TextBox1.Text
                dr = cmd.ExecuteReader
                If dr.HasRows Then
                    While dr.Read
                        Label4.Text = dr(0)
                    End While
                    MessageBox.Show("This Employee Does Exist!")
Else
Messagebox("This Employee Does not Exists!")

This is the error that comes up

cannot open database"Pay" requested by the login.The Login failed.Login failed for user'My PC Name'.

I assumed that the database name was Pay based on the name of the actual file. I also assumed that because you had specified Integrated Security=True that you were validating based on your current login username. Are you using windows authentication or SQL server authentication?

This question has already been answered. Start a new discussion instead.