tags:

views:

47

answers:

3
+1  Q: 

Table is not getting updated , when used executeNonquery

Hi,

I am trying to change the user password. I am not able to update the password :(. The message i am getting is password changed where as its not getting changed. . My code is as follow.. Please if anyone can suggest where i am going wrong . I am just a beginner ...

protected void Button1_Click(object sender, EventArgs e)
{
    DatabaseLayer data = new DatabaseLayer();

    string username = Session["Authenticate"].ToString();
    string password = TextBox1.Text;
    string newpass = TextBox2.Text;
    string confirm = TextBox3.Text;
    string flag = "";

    if (newpass.ToString() == confirm.ToString())
    {
        flag = data.passwordChange(username, password, newpass);
        Literal1.Text = flag.ToString();
    }
    else
    {
        Literal1.Text = "New Password does not match the Confirm Password ";
    }
}

The above click event must change my password, and the function passwordChange is as follows..

public string passwordChange(string username, string password, string newPasswd)
{
    string SQLQuery = "SELECT password FROM LoginAccount WHERE username = '" + username + "'";
    string SQLQuery1 = "UPDATE LoginAccount SET password = ' " + newPasswd + " ' WHERE username = ' " + username + "'";
    SqlCommand command = new SqlCommand(SQLQuery, sqlConnection);
    SqlCommand command1 = new SqlCommand(SQLQuery1, sqlConnection);

    sqlConnection.Open();
    string sqlPassword = "";
    SqlDataReader reader;

    try
    {
        reader = command.ExecuteReader();


        if (reader.Read())
        {
            if (!reader.IsDBNull(0))
            {
                sqlPassword = reader["password"].ToString();
            }
        }
        reader.Close();

        if (sqlPassword.ToString() == password.ToString())
        {
            try
            {
                int flag = 0;
                flag = command1.ExecuteNonQuery();

                if (flag > 0)
                {
                    sqlConnection.Close();
                    return "Password Changed Successfully";
                }
                else
                {
                    sqlConnection.Close();
                    return "User Password could not be changed";
                }
            }
            catch (Exception exr)
            {
                sqlConnection.Close();
                return "Password Could Not Be Changed Please Try Again";
            }
        }
        else
        {
            sqlConnection.Close();
            return "User Password does not Match";
        }
    }
    catch (Exception exr)
    {
        sqlConnection.Close();
        return "User's Password already exists";
    }
}

I had put a break point near 

if(flag>0)

it still shows that executeNonquery aint returning the updated rows value and also in the Back end of SQL server, its not changing, Please if anyone could correct me... Should i use other execute command or something? I am doing this with VS 2008 and SQL server 2005..

A: 

If you're getting zero rows affected double check that your WHERE clause actually works. I'd bet that if you SELECTed WHERE username = '" + username + "'", you won't find the row you're looking for. That'd, at least, be the first thing I would confirm.

hometoast  2010-08-17 14:35:28
+5  A: 

1: It's your spacing between your single and double quotes: (Like: ' " + username + " ')
2) You are begging for SQL Injection.

Try this in your PasswordChange method:

public string PasswordChange(string userName, string oldPass, string newPass)
{
    using(SqlConnection sqlConnection = new SqlConnection(
        ConfigurationManager.ConnectionStrings["LoginDb"].ConnectionString))
   {
    string sqlToConfirmOldPass =
      "SELECT password FROM LoginAccount WHERE username = @userName";
    string sqlToUpdatePassword =
      "UPDATE LoginAccount SET password = @newPass WHERE username = @userName";

    SqlCommand confirmOldPass = new SqlCommand(sqlToConfirmOldPass, sqlConnection);
    confirmOldPass.Parameters.AddWithValue("@userName", userName);

    SqlCommand updatePassword = new SqlCommand(sqlToUpdatePassword, sqlConnection);
    updatePassword.Parameters.AddWithValue("@newPass", newPass);
    updatePassword.Parameters.AddWithValue("@userName", userName);

    [Rest of your code goes here]
   }
}

I also didn't see where you set your SqlConnection, so I've added a line for that. You'll need to modify it according to your needs.

AllenG  2010-08-17 14:35:54
Good catch on the spaces in the statement.
hometoast  2010-08-17 14:37:07
@AllenG i had taken the connection string global..will try for parameterized method..
Nagaraj Tantri  2010-08-17 14:37:38
@AllenG thank you. The thing is i am using it for the first time.. i mean i m doing a hobby proj.. thank's a ton
Nagaraj Tantri  2010-08-17 15:02:50
@Nagaraj: No problem
AllenG  2010-08-17 15:08:16
+1  A: 

Maybe try this code instead.

public string passwordChange(string username, string password, string newPasswd)
{
    string SQLQuery = "SELECT password FROM LoginAccount WHERE username = @username";
    string SQLQuery1 = "UPDATE LoginAccount SET password = @newPassword  WHERE username = @username";
    SqlCommand command = new SqlCommand(SQLQuery, sqlConnection);
    command.Parameters.AddWithValue("@username", username);

    SqlCommand command1 = new SqlCommand(SQLQuery1, sqlConnection);
    command1.Parameters.AddWithValue("@username", username);
    command1.Parameters.AddWithValue("@newPassword", newPasswd);

    sqlConnection.Open();
    string sqlPassword = "";
    SqlDataReader reader;

    try
    {
        reader = command.ExecuteReader();


        if (reader.Read())
        {
            if (!reader.IsDBNull(0))
            {
                sqlPassword = reader["password"].ToString();
            }
        }
        reader.Close();

        if (sqlPassword.ToString() == password.ToString())
        {
            try
            {
                int flag = 0;
                flag = command1.ExecuteNonQuery();

                if (flag > 0)
                {
                    sqlConnection.Close();
                    return "Password Changed Successfully";
                }
                else
                {
                    sqlConnection.Close();
                    return "User Password could not be changed";
                }
            }
            catch (Exception exr)
            {
                sqlConnection.Close();
                return "Password Could Not Be Changed Please Try Again";
            }
        }
        else
        {
            sqlConnection.Close();
            return "User Password does not Match";
        }
    }
    catch (Exception exr)
    {
        sqlConnection.Close();
        return "User's Password already exists";
    }
}
msarchet  2010-08-17 14:37:04

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?