sqlAccounts = "spAccounts @Username = '" & strUsername_form & "', @Password = '" & strPassword_form & "'"
let say, i entered this into the username field and password field,
uname, i will put
myname' or 'a'='a
and for pw, i will put,
mypw' or 'a'='a
then your sqlAccounts variable will be
"spAccounts @Username = 'myname' or 'a'='a', @Password = 'mypw' or 'a'='a'"
I am not 100% if this will work, but sql injections goes with something like that...
or better yet...
if you just have sql statements directly in your code... ppl can do this....
put whatever for uname
then put, mypw'; delete from users where 'a'='a
then your sqlAccounts will be,
"spAccounts @Username = 'whatever', @Password = 'mypw'; delete from users where 'a'='a'"