I have the following code snippet.

SqlCommand cmd = new SqlCommand("SELECT FName,LName FROM EMPL开发者_开发技巧OYEE_TABLE WHERE EmployeeID = '" +TextBox1.Text + "' AND Password = '"+ TextBox2.Text +"'", con);
SqlDataReader x = cmd.ExecuteReader();

try
{ 
    if (x.Read())
    {
        name = (string)x["FName"] +' '+ (string)x["LName"];
        Session["NAME"] = name;
        Session["ID"] = TextBox1.Text;
        Response.Redirect("sample.aspx?action=On_Click");
    }
    else
    {
        errormsg.Text = "login failed.Please enter Valid UserID and Password";
        errormsg.ForeColor = System.Drawing.Color.Red;
    }
}
catch (Exception exp)
{
    errormsg.Text = "Sorry,You dont have access to this portal.";
}
finally
{
    x.Close();
    con.Close();
}

Now, when i use a valid id (that exists) and password as abc' or 'x'='x then it logs in into the first account of the table in the database. Till this it's fine.

However when I try to debug the code, it throws an error Unable to evaluate expression because the code is optimized or a native frame is on top of the call stack..

Also if it is throwing an error then why is it logging into this 1st account of the database. Note: the first account of the database has a different userid than that which i m providing.

Note: I am the developed of this application. So I'm not doing anything illegal. :)

Look at this part of your SQL:

   "' AND Password = '"+ TextBox2.Text +"'"

With your password, it's

   "' AND Password = ''x'='x'"

which is not the SQL you want.

Even if you are trying to do SQL injection, you have to result in valid SQL. Usually, it's by ending the statement with a semi-colon after closing the quote. See this:

OK, to provide an answer based on the primary issue you've got (as you've stated, you're new to the SQL Injection issue).

SQL Injection is caused by dynamically building a SQL query using user input as part of the construction. The simplest solution to this in .Net is to create a parameterized query.

I think Jeff Atwood has the most complete yet concise article providing an explanation and complete example here

Quoted from above link:

SqlConnection conn = new SqlConnection(_connectionString);
conn.Open();
string s = "SELECT email, passwd, login_id, full_name " + 
  "FROM members WHERE email = @email";
SqlCommand cmd = new SqlCommand(s);
cmd.Parameters.Add("@email", email);
SqlDataReader reader = cmd.ExecuteReader();

The issue at hand:

The reason it's still logging into the account is because the query is still "valid".

The statement will still be executed, and the relevant record will still be returned from the database, no exception will be thrown.

The only way you will stop the login process when invalid data is provided is to validate the input before executing the query. You should always validate user input before sending it off to the database. If the user were to provide:

username'; drop table users;--

as the username, you would be in a LOT of trouble.

The error you're encountering is a debugging error, not an actual program exception. That's why it works when you run it normally.

To remedy the error, I'd first make sure that everything is running with a Debug build. Also, make sure you're currently debugging in the function of the variable you want to inspect. Try stepping (F10) a few times past your breakpoint to refresh the context. There are a slew of other suggestions on the internet for that particular error, so if you're still having problems you might have to do some googling.