DataReader不读取我的if代码

时间:2013-09-25 21:12:56

标签: c# datareader

我有一个登录winform,我把更改密码放入其中。我有这个代码来更新我的数据库中的密码信息。但如果它是真的,它不会读取我的datareader,但如果它是false,它将读取它,并更改我的数据库中的密码。

    public void ChangePass()
    {
        sc.Open();
        try
        {
            if (_oldpass == "" || _newpass == "" || _conpass == "")
            {
                string message = "Must fill up all the fields!";
                string title = "Voting System Error Message";
                MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
            }
            else
            {
                cmd = new SqlCommand("SELECT password FROM TableLogin WHERE password = '" + _oldpass + "'", sc);

                SqlDataReader dr = cmd.ExecuteReader();

                if (dr.Read() == true)
                {
                    sc.Close();
                    if (_newpass == _conpass)
                    {
                        sc.Open();
                        cmd = new SqlCommand("UPDATE TableLogin SET password = '" + _newpass + "' WHERE username = 'admin'", sc);

                        SqlDataReader sdr = cmd.ExecuteReader();
                        if (sdr.Read() == true) 
                        {
                            MessageBox.Show("Successfully Changed!"); 
//This part does not read if true.. but if sdr.Read() == false it changes the password from my database.
                        }
                    }
                    else
                    {
                        string message = "New Password and Confirm Password does not match!";
                        string title = "Voting System Error Message";

                        MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
                    }
                }
                else
                {
                    string message = "Wrong Old Password!";
                    string title = "Voting System Error Message";

                    MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
                }
            }
        }
        catch (Exception ex)
        {
            MessageBox.Show(ex.Message);
        }
        finally
        {
            sc.Close();
        }
    }

我不明白,为什么?

2 个答案:

答案 0 :(得分:1)

我认为sql中的Update语句不会返回记录,因此read不会返回true。您应该使用ExecuteNonQuery代替。

if (cmd.ExecuteNonQuery() > 0) 
{
    MessageBox.Show("Successfully Changed!"); 
}

BTW如注释中所指出的那样使用参数化查询来阻止sql注入。

答案 1 :(得分:0)

以下是CW,因为它真的是一个很大的评论。我对您的代码进行了许多更改。以下是一些重要的内容:

    public void ChangePass()
    {
        // Not very important, but this doesn't need to be in the try/catch
        if (_oldpass == "" || _newpass == "" || _conpass == "")
        {
            var message = "Must fill up all the fields!";
            var title = "Voting System Error Message";
            MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
            return;
        }

        try
        {
            sc.Open();
            // SqlCommand, SqlDataReader, and anything else you create that implements
            // IDisposable, needs to be in a using block
            using (var cmd = new SqlCommand("SELECT password FROM TableLogin WHERE password = @Password", sc))
            {
                // As others have said, use parameters to avoid SQL Injection Attacks
                cmd.Parameters.AddWithValue("@Password", _oldpass);

                using (var dr = cmd.ExecuteReader())
                {
                    if (dr.Read()) // You don't need == true
                    {
                        if (_newpass == _conpass)
                        {
                            // Separate SqlCommand and use a using block
                            using (
                                var updateCommand =
                                    new SqlCommand(
                                        "UPDATE TableLogin SET password = @Password WHERE username = 'admin'",
                                        sc))
                            {
                                // and a parameter
                                updateCommand.Parameters.AddWithValue("@Password", _newpass);

                                // Use ExecuteNonQuery, and check affected rows
                                var rowsAffected = updateCommand.ExecuteNonQuery();
                                if (rowsAffected == 1)
                                {
                                    MessageBox.Show("Successfully Changed!");
                                }
                            }
                        }
                        else
                        {
                            var message = "New Password and Confirm Password does not match!";
                            var title = "Voting System Error Message";

                            MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
                        }
                    }
                    else
                    {
                        var message = "Wrong Old Password!";
                        var title = "Voting System Error Message";

                        MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
                    }
                }
            }
        }
        catch (Exception ex)
        {
            // For troubleshooting purposes, display the entire exception
            MessageBox.Show(ex.ToString());
        }
        finally
        {
            sc.Close();
        }
    }