我有一个登录winform,我把更改密码放入其中。我有这个代码来更新我的数据库中的密码信息。但如果它是真的,它不会读取我的datareader,但如果它是false,它将读取它,并更改我的数据库中的密码。
public void ChangePass()
{
sc.Open();
try
{
if (_oldpass == "" || _newpass == "" || _conpass == "")
{
string message = "Must fill up all the fields!";
string title = "Voting System Error Message";
MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
}
else
{
cmd = new SqlCommand("SELECT password FROM TableLogin WHERE password = '" + _oldpass + "'", sc);
SqlDataReader dr = cmd.ExecuteReader();
if (dr.Read() == true)
{
sc.Close();
if (_newpass == _conpass)
{
sc.Open();
cmd = new SqlCommand("UPDATE TableLogin SET password = '" + _newpass + "' WHERE username = 'admin'", sc);
SqlDataReader sdr = cmd.ExecuteReader();
if (sdr.Read() == true)
{
MessageBox.Show("Successfully Changed!");
//This part does not read if true.. but if sdr.Read() == false it changes the password from my database.
}
}
else
{
string message = "New Password and Confirm Password does not match!";
string title = "Voting System Error Message";
MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
else
{
string message = "Wrong Old Password!";
string title = "Voting System Error Message";
MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
finally
{
sc.Close();
}
}
我不明白,为什么?
答案 0 :(得分:1)
我认为sql中的Update
语句不会返回记录,因此read不会返回true
。您应该使用ExecuteNonQuery
代替。
if (cmd.ExecuteNonQuery() > 0)
{
MessageBox.Show("Successfully Changed!");
}
BTW如注释中所指出的那样使用参数化查询来阻止sql注入。
答案 1 :(得分:0)
以下是CW,因为它真的是一个很大的评论。我对您的代码进行了许多更改。以下是一些重要的内容:
public void ChangePass()
{
// Not very important, but this doesn't need to be in the try/catch
if (_oldpass == "" || _newpass == "" || _conpass == "")
{
var message = "Must fill up all the fields!";
var title = "Voting System Error Message";
MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
return;
}
try
{
sc.Open();
// SqlCommand, SqlDataReader, and anything else you create that implements
// IDisposable, needs to be in a using block
using (var cmd = new SqlCommand("SELECT password FROM TableLogin WHERE password = @Password", sc))
{
// As others have said, use parameters to avoid SQL Injection Attacks
cmd.Parameters.AddWithValue("@Password", _oldpass);
using (var dr = cmd.ExecuteReader())
{
if (dr.Read()) // You don't need == true
{
if (_newpass == _conpass)
{
// Separate SqlCommand and use a using block
using (
var updateCommand =
new SqlCommand(
"UPDATE TableLogin SET password = @Password WHERE username = 'admin'",
sc))
{
// and a parameter
updateCommand.Parameters.AddWithValue("@Password", _newpass);
// Use ExecuteNonQuery, and check affected rows
var rowsAffected = updateCommand.ExecuteNonQuery();
if (rowsAffected == 1)
{
MessageBox.Show("Successfully Changed!");
}
}
}
else
{
var message = "New Password and Confirm Password does not match!";
var title = "Voting System Error Message";
MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
else
{
var message = "Wrong Old Password!";
var title = "Voting System Error Message";
MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
}
}
}
}
catch (Exception ex)
{
// For troubleshooting purposes, display the entire exception
MessageBox.Show(ex.ToString());
}
finally
{
sc.Close();
}
}