String concatenation is not a secure approach as clever person can
execute unwanted SQL statement by some tricks (SQL injection attack).
Use parameters if possible.
Bad code:
SqlCommand command = new SqlCommand("SELECT COUNT(*) FROM Accounts WHERE Login='" + login + "' AND Password='" + password + "'", conn);
Good code:
SqlCommand command = new SqlCommand("SELECT COUNT(*) FROM Accounts WHERE Login=@login AND Password=@password", conn);
SqlParameter param = new SqlParameter("login", SqlDbType.VarChar, 100);
param.Value = login;
command.Parameters.Add(param);
param = new SqlParameter("password", SqlDbType.VarChar, 100);
param.Value = password;
command.Parameters.Add(param);
