题
I have a login winform and i put Change Password in it. I have this code for updating my password info in my database. But it does not read my datareader if it is in true, but if it is in false it will read it, and change the password in my database.
https://stackoverflow.com/questions/19015303
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian public void ChangePass()
{
sc.Open();
try
{
if (_oldpass == "" || _newpass == "" || _conpass == "")
{
string message = "Must fill up all the fields!";
string title = "Voting System Error Message";
MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
}
else
{
cmd = new SqlCommand("SELECT password FROM TableLogin WHERE password = '" + _oldpass + "'", sc);
SqlDataReader dr = cmd.ExecuteReader();
if (dr.Read() == true)
{
sc.Close();
if (_newpass == _conpass)
{
sc.Open();
cmd = new SqlCommand("UPDATE TableLogin SET password = '" + _newpass + "' WHERE username = 'admin'", sc);
SqlDataReader sdr = cmd.ExecuteReader();
if (sdr.Read() == true)
{
MessageBox.Show("Successfully Changed!");
//This part does not read if true.. but if sdr.Read() == false it changes the password from my database.
}
}
else
{
string message = "New Password and Confirm Password does not match!";
string title = "Voting System Error Message";
MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
else
{
string message = "Wrong Old Password!";
string title = "Voting System Error Message";
MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
finally
{
sc.Close();
}
}
I don't understand, why?
解决方案
I suppose Update statement in sql will not return records so read will not return true. You should use ExecuteNonQuery instead.
if (cmd.ExecuteNonQuery() > 0)
{
MessageBox.Show("Successfully Changed!");
}
BTW as pointed in comments use parameterized queries to prevent sql injection.
其他提示
The following is CW, as it's really a big comment. There are many changes I'd make to your code. Here are some of the important ones:
public void ChangePass()
{
// Not very important, but this doesn't need to be in the try/catch
if (_oldpass == "" || _newpass == "" || _conpass == "")
{
var message = "Must fill up all the fields!";
var title = "Voting System Error Message";
MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
try
{
sc.Open();
// SqlCommand, SqlDataReader, and anything else you create that implements
// IDisposable, needs to be in a using block
using (var cmd = new SqlCommand("SELECT password FROM TableLogin WHERE password = @Password", sc))
{
// As others have said, use parameters to avoid SQL Injection Attacks
cmd.Parameters.AddWithValue("@Password", _oldpass);
using (var dr = cmd.ExecuteReader())
{
if (dr.Read()) // You don't need == true
{
if (_newpass == _conpass)
{
// Separate SqlCommand and use a using block
using (
var updateCommand =
new SqlCommand(
"UPDATE TableLogin SET password = @Password WHERE username = 'admin'",
sc))
{
// and a parameter
updateCommand.Parameters.AddWithValue("@Password", _newpass);
// Use ExecuteNonQuery, and check affected rows
var rowsAffected = updateCommand.ExecuteNonQuery();
if (rowsAffected == 1)
{
MessageBox.Show("Successfully Changed!");
}
}
}
else
{
var message = "New Password and Confirm Password does not match!";
var title = "Voting System Error Message";
MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
else
{
var message = "Wrong Old Password!";
var title = "Voting System Error Message";
MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
}
}
catch (Exception ex)
{
// For troubleshooting purposes, display the entire exception
MessageBox.Show(ex.ToString());
}
finally
{
sc.Close();
}
}
