Take your query:[Code]select * from tableName where userField = '" + txtBo

1. Take your query:
2.  
3. [Code]
4. select * from tableName where userField = '" + txtBoxUser + "' and passField = '" + txtBoxPass + "'"
5. [/code]
6.  
7. So, imagine user enter this on textboxes:
8. txtBoxUser: John Doe
9. txtBoxPass: 1234
10.  
11. So, the query will be:
12.  
13. [Code]
14. select * from tableName where userField = 'John Doe' and passField = '1234'
15. [/code]
16.  
17. If the user/pass matches, the login will succes.
18.  
19. [B]But now[/B] imagine the [I]'user'[/I] enter this on textboxes:
20.  
21. [PHP]
22. txtBoxUser: ' or ''='
23. txtBoxPass: ' or ''='
24. [/PHP]
25.  
26. The query will be:
27.  
28. [Code]SELECT * FROM tableName WHERE userField = '' OR ''='' AND passField = '' OR ''=''[/code]
29.  
30. This query [B]always[/B] successfully, so [B]login always sucess[/B]
31.  
32. So you have 3 choices:
33.  
34. 1) Only allow letters and numbers on textboxes. (really bad fix, because someone could use simbols on user/pass)
35. 2) Use [B]parameters[/B] on query. This should fix the SQLi
36. 3) Use [B]Stored Procedures[/B]
37.  
38. Hope it helps someone to understand how 'SQL Injection' works and how try to fix it