Question

这里是我在C＃中为我的网站更改密码编写的代码，但它显示了＆＃34; ExecuteNonQuery（）＆＃34;中的错误。命令..我不能用新密码更新数据库...我已经尝试了很多解决方案，就像我在Windows身份验证中有检查权限，以修改＆＃34;数据库＆＃34;文件.. - ＆GT; Change.aspx.cs中的代码：

protected void Button1_Click(object sender, EventArgs e)
{
    OleDbConnection conn = new OleDbConnection();
    string connectionString = @"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Users\Lenovo\Desktop\PlacementCell\PlacementCell\Database.mdb";
    conn = new OleDbConnection(connectionString);
    conn.Open();

    string str1 = "select * from Student_Login where Password ='" + TextBox1.Text + "'";
    OleDbCommand cmd = new OleDbCommand(str1, conn);
    OleDbDataReader dr = cmd.ExecuteReader();

    if (dr.Read())
    {
        OleDbConnection con1 = new OleDbConnection(@"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Users\Lenovo\Desktop\PlacementCell\PlacementCell\Database.mdb");
        con1.Open();
        string str = "UPDATE Student_Login SET Password=" + TextBox3.Text + "where Password= " + TextBox1.Text;
        using (OleDbCommand cmd1 = new OleDbCommand(str, con1))
        {
            cmd1.ExecuteNonQuery();
        }
        Label1.Visible = true;
        con1.Close();
    }
    else
    {
        Label3.Visible = true;
    }
    conn.Close();
}

................... error image

Answer 1

现有代码中似乎存在一些语法问题，例如在构建查询时将参数值丢失，并将字符串连接起来，如下所示：

string str = "UPDATE Student_Login SET Password='" + TextBox3.Text + "' where Password= " + TextBox1.Text + "'";

这里一个更大的问题是你没有使用SQL参数化，这可能导致这样的问题发生（并导致SQL注入漏洞）。请考虑以下代码，该代码应解决您之前的所有问题，并保护您免受任何基于注入的恶意：

// Create your connection
using (var conn = new OleDbConnection(@"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Users\Lenovo\Desktop\PlacementCell\PlacementCell\Database.mdb"))
{
    // Build your first query
    var query = "SELECT * FROM Student_Login WHERE Password = @password";
    // Create a command to execute your query
    using (var cmd = new OleDbCommand(query, conn))
    {
            // Open your connection
            conn.Open();
            // Add your parameter (prevents SQL Injection and syntax issues)
            cmd.Parameters.AddWithValue("@password", TextBox1.Text);

            // Execute your query into a reader
            using (var dr = cmd.ExecuteReader())
            {
                    // Go through each row
                    while(dr.Read())
                    {
                        // Build an update query
                        var updateQuery = "UPDATE Student_LogIn SET Password = @password WHERE Password = @oldPassword";
                        // Build a new command to execute
                        using (var updateCmd = new OleDbCommand(updateQuery, conn))
                        {
                            // Set a parameter and execute
                            updateCmd.Parameters.AddWithValue("@password", TextBox3.Text);
                            updateCmd.Parameters.AddWithValue("@oldPassword", TextBox1.Text);
                            // Execute your query
                            updateCmd.ExecuteNonQuery();
                            Label1.Visible = true;
                        }
                    }
            }
    }
}

您也可以尝试这个不依赖于命名参数的版本：

// Create your connection
using (var conn = new OleDbConnection(@"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Users\Lenovo\Desktop\PlacementCell\PlacementCell\Database.mdb"))
{
    // Build your first query
    var query = "SELECT * FROM Student_Login WHERE Password = ?";
    // Create a command to execute your query
    using (var cmd = new OleDbCommand(query, conn))
    {
            // Open your connection
            conn.Open();
            // Add your parameter (prevents SQL Injection and syntax issues)
            cmd.Parameters.AddWithValue("@password", TextBox1.Text);

            // Execute your query into a reader
            using (var dr = cmd.ExecuteReader())
            {
                    // Go through each row
                    while(dr.Read())
                    {
                        // Build an update query
                        var updateQuery = "UPDATE Student_LogIn SET Password = ? WHERE Password = ?";
                        // Build a new command to execute
                        using (var updateCmd = new OleDbCommand(updateQuery, conn))
                        {
                            // Set a parameter and execute
                            updateCmd.Parameters.AddWithValue("@password", TextBox3.Text);
                            updateCmd.Parameters.AddWithValue("@oldPassword", TextBox1.Text);
                            // Execute your query
                            updateCmd.ExecuteNonQuery();
                            Label1.Visible = true;
                        }
                    }
            }
    }
}

Answer 2

你可以尝试一次......

updateCmd.Parameters.Add（＆＃34; @ password＆＃34;，SqlDbType.VarChar）; updateCmd.Parameters [＆＃34; @ password＆＃34;]。Value = TextBox3.Text;

updateCmd.Parameters.Add（＆＃34; @ oldPassword＆＃34;，SqlDbType.VarChar）; updateCmd.Parameters [＆＃34; @ oldPassword＆＃34;]。Value = TextBox1.Text;

C＃中的ExecuteNonQuery命令出错，无法更新数据库

2 个答案: