The principles and dangers of SQL Injection are technology agnostic. I have used Microsoft SQL Server and ASP.NET in my code samples here, and want to remind you of the security threats of SQL Injection in your applications irrespective of the technology you use to build it. I would also list out what you can do to make your applications more secure.

Let me start with doing what you do always, build an application with user management features built in it. Just to make it easier, if you are trying this out along with me, I would hard code my user database instead of building the user management screens.

USE payroll
GO
CREATE TABLE ApplicationUser
(
UserName nvarchar(25),
Password nvarchar(25)
)
GO
INSERT INTO ApplicationUser VALUES('Amit', 'Password4Amit')
INSERT INTO ApplicationUser VALUES('Aparna', 'Password4Aparna')
GO

First I have made a screen for my users to log in (see below).

Here is the code I have used to verify that the user name and password are correct.

protected void btnSubmit_Click(object sender, EventArgs e)
{
string strSQL = "SELECT Password FROM ApplicationUser WHERE UserName = '"
+ txtUserName.Text + "'";
string strConnection = "Data Source=(local); "
+ "Integrated Security = SSPI; Initial Catalog=payroll";
string strPassword;
bool blnValidUser = false;
SqlConnection conPayroll = new SqlConnection(strConnection);
SqlCommand cmdUserValidate = new SqlCommand(strSQL, conPayroll);
conPayroll.Open();
try
{
strPassword = cmdUserValidate.ExecuteScalar().ToString();
if (txtPassword.Text == strPassword)
{
blnValidUser = true;
}
}
catch (NullReferenceException)
{
}
catch (SqlException)
{
}
if (blnValidUser)
{
lblMessage.Text = "Congratulations. Successfull login!";
}
else
{
lblMessage.Text = "Login failed!";
}
}