必须声明标量变量“@User”

public class Query
{
    public int ValidateLogin(string userID, string password)
    {
        string query = "Select * From tblLogin where UserID = @user and Password = @paswd";
        Connection objConn = new Connection();
        DataTable dtLogin = objConn.GetDataFromDB(query);
        int result = 0;
        if (dtLogin.Rows.Count > 0)
        {
            result = 1;
        }
        return result;
}
public class Connection
{
    string conn = ConfigurationManager.ConnectionStrings["DBConn"].ToString();
    public DataTable GetDataFromDB(string query)
    {
        SqlConnection myConn = new SqlConnection(conn);
        myConn.Open();
        SqlDataAdapter da = new SqlDataAdapter();
        da.SelectCommand = myConn.CreateCommand();
        da.SelectCommand.CommandText = query;
        DataTable dt = new DataTable();
        da.Fill(dt);
        da.Dispose();
        myConn.Close();
        return dt;
}
protected void Page_Load(object sender, EventArgs e)
{
}
protected void btn_login_Click(object sender, EventArgs e)
{
        int result = 0;
        Query q = new Query();
        result = q.ValidateLogin(txt_userID.Text, txt_password.Text);
        if (result == 1)
        {
            Response.Redirect("~/Performance Appraisal Form.aspx");
        }
        else
        {
        }
}

将您的参数添加到SelectCommand

的例子:

private static void UpdateDemographics(Int32 customerID,
    string demoXml, string connectionString)
{
    // Update the demographics for a store, which is stored 
    // in an xml column. 
    string commandText = "UPDATE Sales.Store SET Demographics = @demographics "
        + "WHERE CustomerID = @ID;";
    using (SqlConnection connection = new SqlConnection(connectionString))
    {
        SqlCommand command = new SqlCommand(commandText, connection);
        command.Parameters.Add("@ID", SqlDbType.Int);
        command.Parameters["@ID"].Value = customerID;
        // Use AddWithValue to assign Demographics.
        // SQL Server will implicitly convert strings into XML.
        command.Parameters.AddWithValue("@demographics", demoXml);
        try
        {
            connection.Open();
            Int32 rowsAffected = command.ExecuteNonQuery();
            Console.WriteLine("RowsAffected: {0}", rowsAffected);
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.Message);
        }
    }
}

代码

要做到这一点，请在 中添加另一个参数

  public DataTable GetDataFromDB(string query)

改为

  public DataTable GetDataFromDB(string query, string[] params) //example, can be another type of collection like ParameterCollection.

 da.SelectCommand.parameters.add("@user",params[0]);
 da.SelectCommand.parameters.add("@paswd",params[1]);

传递参数给你的方法。

string[] Params= new string[2];
    Params[0] = txt_userID.Text;
    Params[1] =txt_password.Text;

 DataTable dtLogin = objConn.GetDataFromDB(query,Params);

参考:

http://msdn.microsoft.com/es-es/library/system.data.sqlclient.sqlcommand.parameters (v = vs.110) . aspx

您正在使用内联SQL，因此它需要是一个有效的SQL字符串。@user不是SQL代码中声明的变量，因此不会检测到它。要么在SQL字符串中包含一个声明语句，要么在字符串中注入"user"的实际值。

希望对你有帮助。

哦，顺便说一句…请不要使用内联SQL，它非常不安全。