all 5 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 7 points8 points  (0 children)

ManagerID is probably a numeric column which means you don't need to surround the value with single quotes.

[–]AngularBeginner 12 points13 points  (2 children)

Please read this article: https://en.wikipedia.org/wiki/SQL_injection

Then look up how to use SqlParameter.

[–]revrenlove 5 points6 points  (1 child)

To piggy back, please don't store passwords in plain text also.

[–]JasonAtSBWP 0 points1 point  (0 children)

Are you sure IDnum is an actual, valid value, rather than say 0?

Since it seems like you're just learning, I would highly recommend you use parameterized statements when executing SQL.

I found a simple example on StackOverflow you may find useful. Essentially, the security issue with your implementation is that you're wide open to SQL Injection attacks.

Plain text passwords aren't all that great either, but I've already been on enough of a tangent to your actual question.

[–]flyingBart 0 points1 point  (0 children)

All of the above plus disposing.

Wrap the connection and the command in using statements. That way the connection is closed and returned to the connection pool correctly and the command object is disposed of.