Reputation: 5260
Table is not getting updated , when used executeNonquery
I am trying to change the user password. I am not able to update the password :(. The message i am getting is password changed where as its not getting changed. . My code is as follow.. Please if anyone can suggest where i am going wrong . I am just a beginner ...
protected void Button1_Click(object sender, EventArgs e)
{
DatabaseLayer data = new DatabaseLayer();
string username = Session["Authenticate"].ToString();
string password = TextBox1.Text;
string newpass = TextBox2.Text;
string confirm = TextBox3.Text;
string flag = "";
if (newpass.ToString() == confirm.ToString())
{
flag = data.passwordChange(username, password, newpass);
Literal1.Text = flag.ToString();
}
else
{
Literal1.Text = "New Password does not match the Confirm Password ";
}
}
The above click event must change my password, and the function passwordChange is as follows..
public string passwordChange(string username, string password, string newPasswd)
{
string SQLQuery = "SELECT password FROM LoginAccount WHERE username = '" + username + "'";
string SQLQuery1 = "UPDATE LoginAccount SET password = ' " + newPasswd + " ' WHERE username = ' " + username + "'";
SqlCommand command = new SqlCommand(SQLQuery, sqlConnection);
SqlCommand command1 = new SqlCommand(SQLQuery1, sqlConnection);
sqlConnection.Open();
string sqlPassword = "";
SqlDataReader reader;
try
{
reader = command.ExecuteReader();
if (reader.Read())
{
if (!reader.IsDBNull(0))
{
sqlPassword = reader["password"].ToString();
}
}
reader.Close();
if (sqlPassword.ToString() == password.ToString())
{
try
{
int flag = 0;
flag = command1.ExecuteNonQuery();
if (flag > 0)
{
sqlConnection.Close();
return "Password Changed Successfully";
}
else
{
sqlConnection.Close();
return "User Password could not be changed";
}
}
catch (Exception exr)
{
sqlConnection.Close();
return "Password Could Not Be Changed Please Try Again";
}
}
else
{
sqlConnection.Close();
return "User Password does not Match";
}
}
catch (Exception exr)
{
sqlConnection.Close();
return "User's Password already exists";
}
}
I had put a break point near
if(flag>0)
it still shows that executeNonquery aint returning the updated rows value and also in the Back end of SQL server, its not changing, Please if anyone could correct me... Should i use other execute command or something? I am doing this with VS 2008 and SQL server 2005..
Upvotes: 1
Views: 4280
Answers (3)
Reputation: 15242
Maybe try this code instead.
public string passwordChange(string username, string password, string newPasswd)
{
string SQLQuery = "SELECT password FROM LoginAccount WHERE username = @username";
string SQLQuery1 = "UPDATE LoginAccount SET password = @newPassword WHERE username = @username";
SqlCommand command = new SqlCommand(SQLQuery, sqlConnection);
command.Parameters.AddWithValue("@username", username);
SqlCommand command1 = new SqlCommand(SQLQuery1, sqlConnection);
command1.Parameters.AddWithValue("@username", username);
command1.Parameters.AddWithValue("@newPassword", newPasswd);
sqlConnection.Open();
string sqlPassword = "";
SqlDataReader reader;
try
{
reader = command.ExecuteReader();
if (reader.Read())
{
if (!reader.IsDBNull(0))
{
sqlPassword = reader["password"].ToString();
}
}
reader.Close();
if (sqlPassword.ToString() == password.ToString())
{
try
{
int flag = 0;
flag = command1.ExecuteNonQuery();
if (flag > 0)
{
sqlConnection.Close();
return "Password Changed Successfully";
}
else
{
sqlConnection.Close();
return "User Password could not be changed";
}
}
catch (Exception exr)
{
sqlConnection.Close();
return "Password Could Not Be Changed Please Try Again";
}
}
else
{
sqlConnection.Close();
return "User Password does not Match";
}
}
catch (Exception exr)
{
sqlConnection.Close();
return "User's Password already exists";
}
}
Upvotes: 1
Reputation: 8190
1: It's your spacing between your single and double quotes: (Like: ' " + username + " ')
2) You are begging for SQL Injection.
Try this in your PasswordChange method:
public string PasswordChange(string userName, string oldPass, string newPass)
{
using(SqlConnection sqlConnection = new SqlConnection(
ConfigurationManager.ConnectionStrings["LoginDb"].ConnectionString))
{
string sqlToConfirmOldPass =
"SELECT password FROM LoginAccount WHERE username = @userName";
string sqlToUpdatePassword =
"UPDATE LoginAccount SET password = @newPass WHERE username = @userName";
SqlCommand confirmOldPass = new SqlCommand(sqlToConfirmOldPass, sqlConnection);
confirmOldPass.Parameters.AddWithValue("@userName", userName);
SqlCommand updatePassword = new SqlCommand(sqlToUpdatePassword, sqlConnection);
updatePassword.Parameters.AddWithValue("@newPass", newPass);
updatePassword.Parameters.AddWithValue("@userName", userName);
[Rest of your code goes here]
}
}
I also didn't see where you set your SqlConnection, so I've added a line for that. You'll need to modify it according to your needs.
Upvotes: 6
Reputation: 11792
If you're getting zero rows affected double check that your WHERE clause actually works. I'd bet that if you SELECTed WHERE username = '" + username + "'", you won't find the row you're looking for. That'd, at least, be the first thing I would confirm.
Upvotes: 0
Related Questions
- SQL query does not update table
- Table not updating on C#
- Simple SqlCommand.ExecuteNonQuery always returning 1 even when it didn't update database
- ExecuteNonQuery is working but , changes are not saving
- Update SQL comand doesn't change the data
- C# executenonquery does not update database
- ExecuteNonQuery update does not store change
- nothing is being update after the execution of cmd.ExecuteNonQuery()
- C# ExecuteNonQuery not updating database
- SqlCommand.ExecuteNonQuery() does NOT update my database