How to update only some columns of database?

Question

The problem occuring on updating only email all other blanks get null . Even if i unchecked allow null in sql server 2008 .my code is-

protected void Updateinfo_Click(object sender, EventArgs e)
{
    string radiogender;
    if (Radiochngmale.Checked == true)
        radiogender = Radiochngmale.Text.ToString();
    else
        radiogender = Radiochngfemale.Text.ToString();
    SqlConnection con = new SqlConnection();
    con.ConnectionString = ConfigurationManager.ConnectionStrings["Con"].ConnectionString;
    con.Open();
    if (con.State == ConnectionState.Open)
    {
        SqlCommand cmd = new SqlCommand();
        Random r = new Random();
        int next = r.Next();
        if (FileUpload2.HasFile)
        {
            string myMap = MapPath("~/").ToLower();
            string ImageName = FileUpload2.PostedFile.FileName;
            sImageFileExtension = ImageName.Substring(ImageName.LastIndexOf(".")).ToLower();
            if (sImageFileExtension == ".gif" || sImageFileExtension == ".png" || sImageFileExtension == ".jpg" || sImageFileExtension == ".jpeg" || sImageFileExtension == ".bmp")
            {
                string ImageSaveURL = myMap + "UserImage/" + next + sImageFileExtension;
                FileUpload2.PostedFile.SaveAs(ImageSaveURL);
            }
            else
                Response.Write("Invalid File");
        }
        cmd.Connection = con; 
        if(chngfname.Text==null)
            chngfname.Text="Select Firstname from Login where Email='"+Session["UserName"]+"'";
        if (chnglastname.Text == null)
            chnglastname.Text = "Select Lastname from Login where Email='" + Session["UserName"] + "'";
        if (chngage.Text == null)
            chngage.Text = "Select age from Login where Email='" + Session["UserName"] + "'";
        if (chngemail.Text == null)
            chngemail.Text = "Select Email from Login where Email='" + Session["UserName"] + "'";
        if (radiogender == null)
            radiogender = "Select gender from Login where Email='" + Session["UserName"] + "'";
        if (chngpassword.Text == null)
            chngpassword.Text = "Select Password from Login where Email='" + Session["UserName"] + "'";
        if ( FileUpload2.HasFile==null)
             sImageFileExtension = "Select profile_pic from Login where Email='" + Session["UserName"] + "'";
        if (chngfname.Text == null)
            chngfname.Text = "Select Firstname from Login where Email='" + Session["UserName"] + "'";
        cmd.CommandText =  "Update Login set FirstName = '"+chngfname.Text+"',LastName='"+chnglastname.Text+"',Email='"+chngemail.Text+"',Password='"+chngpassword.Text+"' ,gender='"+radiogender+"',age='"+chngage.Text+"' , profile_pic='"+ next + sImageFileExtension + "' where Email='"+Session["UserName"]+"'";  
        cmd.CommandType = CommandType.Text; 
        cmd.ExecuteNonQuery();
        }
    }

Why didn't it is taking the previous values even if i mentioned it to take.Please check it out and sort it out

Answer 1

You should try to use a parametrized query instead of the current string concatenation method.
This will resolve the quoting problems and prevent sql injiection attacks

cmd.CommandText =  "Update Login set FirstName = @First, LastName=@Last, " +
                   "Email=@Mail, Password=@Pass, gender=@Gend,age=@Age, " + 
                   "profile_pic=@Prof " + 
                   "where Email=@oldMail";
cmd.Parameters.AddWithValue("@First", chngfname.Text);
cmd.Parameters.AddWithValue("@Last", chnglastname.Text);
cmd.Parameters.AddWithValue("@Mail", chngemail.Text);
cmd.Parameters.AddWithValue("@Pass", chngpassword.Text);
cmd.Parameters.AddWithValue("@Gend", radiogender);
cmd.Parameters.AddWithValue("@Age", chngage.Text);
cmd.Parameters.AddWithValue("@Prof", next + sImageFileExtension );
cmd.Parameters.AddWithValue("@oldMail", +Session["UserName"]);

However, as I have said in my previous comment, your code doesn't seems correct.
First a TextBox.Text cannot be null, it is an empty string. This will skip your text for null values above and you end with setting a blank value in the database. At least try to change the test with

if(string.IsNullOrEmpty(chngfname.Text))
    ......

But at this point you should change the code inside each if above. If your intentions is to retrieve the old values from the database and use them in case of empty string, you need to execute that string, not store it in the textbox.

EDIT: Before to start your update process you need to load the old values of the record you are trying to update. This could be done using the same connection

   SqlDataAdapter da = new SqlDataAdapter("SELECT * from Login where EMail = @oldMail", con);
   da.SelectCommand.Parameters.AddWithValue("@oldMail", Session["UserName");
   DataTable dt = new DataTable();
   da.Fill(dt);

now you have in a datatable all of your old values for that user, so when you reach the check of the old values you could write something like this

if(string.IsNullOrEmpty(chngfname.Text))
    cngfname.Text = (dt.Rows["FirstName"]  == DBNull.Value ? string.Empty : dt.Rows["FirstName"].ToString());

and remove that sql string because you have already retrieved the values for every potentially missing field

Answer 2

This is happening because TextBox.Text is never null so your SQL query ends up looking like this:

Update Login 
  set FirstName = '', 
      LastName = '',
where Email = 'John.doe@nowhere.net'

-- etc...

Except for the one or two fields where the data is actually set to something. Here's probably what you wanted it to look like:

update login
  set FirstName = 'John', 
      LastName = (select Lastname from login where email = 'John.doe@nowhere.net'), 
      etc...
where email = 'John.doe@nowhere.net'

But, there no need for the subqueries. If you want to avoid overwriting values where a value is null or empty string, then you want your SQL to look like the following, use Parameters and set them to DbNull when the textbox is empty.

cmd.Parameters.AddWithValue("@FirstName", (chngfname.Text == String.Empty) ? DbNull.Value : chngfname.Text;

update login
  set FirstName = coalesce(@firstName, FirstName), 
      LastName = coalesce(@LastName, LastName), 
      etc...
where Email = @Email

The other option is select the record first (which I'm sure you've already done) and simply use the same value that's already in the database.

if (chngfname.Text == String.Empty) chngfname.Text = Session["CurrentUserEntity"].FirstName;

Additionally, you need to change this to a parametrized query:

string sql = "update login set FirstName = @firstName, LastName = @lastName, etc... where email = @email;
cmd.Parameters.Add(...);