SqlCommand AddWithValue

Question

SqlCommand command = new SqlCommand("SELECT * FROM users WHERE Username =  ? AND Password = ?", connection);
command.Parameters.AddWithValue("Username", username);
command.Parameters.AddWithValue("Password", password);
SqlDataReader reader = null;
reader = command.ExecuteReader();

When I run the program I get

Incorrect syntax near '?'.

On this line:

reader = command.ExecuteReader();

Can anyone see what I´m doing wrong?

Answer 1

using(SqlCommand command = new SqlCommand("SELECT * FROM users WHERE Username =  @Username AND Password = @Password", connection))
{
  command.Parameters.AddWithValue("@Username", username);
  command.Parameters.AddWithValue("@Password", password);
  using(SqlDataReader reader = command.ExecuteReader())
  {
    while(reader.Read())
    {
      //do actual works
    }
  }
}

Improved with using keywords, which is not necessary, but recommended

Answer 2

SqlCommand command = new SqlCommand(
    "SELECT * FROM users WHERE Username = @Username AND Password = @Password",
    connection);
command.Parameters.AddWithValue("Username", username);
command.Parameters.AddWithValue("Password", password);
SqlDataReader reader = null;
reader = command.ExecuteReader();

You might want to read up on sql.

Answer 3

Which DBMS are you using? If you're using SQL Server, that is incorrect syntax for the query. You need:

SqlCommand cmd = 
    new SqlCommand(@"select * 
                     from users 
                     where username = @username and password = @password");

command.Parameters.AddWithValue("@username", username);
command.Parameters.AddWithValue("@password", password);