C#中的ExecuteNonQuery命令出错,无法更新数据库

时间:2016-04-25 16:59:30

标签: c#-4.0

这里是我在C#中为我的网站更改密码编写的代码,但它显示了" ExecuteNonQuery()"中的错误。命令..我不能用新密码更新数据库...我已经尝试了很多解决方案,就像我在Windows身份验证中有检查权限,以修改"数据库"文件.. - > Change.aspx.cs中的代码:

protected void Button1_Click(object sender, EventArgs e)
{
    OleDbConnection conn = new OleDbConnection();
    string connectionString = @"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Users\Lenovo\Desktop\PlacementCell\PlacementCell\Database.mdb";
    conn = new OleDbConnection(connectionString);
    conn.Open();

    string str1 = "select * from Student_Login where Password ='" + TextBox1.Text + "'";
    OleDbCommand cmd = new OleDbCommand(str1, conn);
    OleDbDataReader dr = cmd.ExecuteReader();

    if (dr.Read())
    {
        OleDbConnection con1 = new OleDbConnection(@"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Users\Lenovo\Desktop\PlacementCell\PlacementCell\Database.mdb");
        con1.Open();
        string str = "UPDATE Student_Login SET Password=" + TextBox3.Text + "where Password= " + TextBox1.Text;
        using (OleDbCommand cmd1 = new OleDbCommand(str, con1))
        {
            cmd1.ExecuteNonQuery();
        }
        Label1.Visible = true;
        con1.Close();
    }
    else
    {
        Label3.Visible = true;
    }
    conn.Close();
}

................... error image

2 个答案:

答案 0 :(得分:0)

现有代码中似乎存在一些语法问题,例如在构建查询时将参数值丢失,并将字符串连接起来,如下所示:

string str = "UPDATE Student_Login SET Password='" + TextBox3.Text + "' where Password= " + TextBox1.Text + "'";

这里一个更大的问题是你没有使用SQL参数化,这可能导致这样的问题发生(并导致SQL注入漏洞)。请考虑以下代码,该代码应解决您之前的所有问题,并保护您免受任何基于注入的恶意:

// Create your connection
using (var conn = new OleDbConnection(@"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Users\Lenovo\Desktop\PlacementCell\PlacementCell\Database.mdb"))
{
    // Build your first query
    var query = "SELECT * FROM Student_Login WHERE Password = @password";
    // Create a command to execute your query
    using (var cmd = new OleDbCommand(query, conn))
    {
            // Open your connection
            conn.Open();
            // Add your parameter (prevents SQL Injection and syntax issues)
            cmd.Parameters.AddWithValue("@password", TextBox1.Text);

            // Execute your query into a reader
            using (var dr = cmd.ExecuteReader())
            {
                    // Go through each row
                    while(dr.Read())
                    {
                        // Build an update query
                        var updateQuery = "UPDATE Student_LogIn SET Password = @password WHERE Password = @oldPassword";
                        // Build a new command to execute
                        using (var updateCmd = new OleDbCommand(updateQuery, conn))
                        {
                            // Set a parameter and execute
                            updateCmd.Parameters.AddWithValue("@password", TextBox3.Text);
                            updateCmd.Parameters.AddWithValue("@oldPassword", TextBox1.Text);
                            // Execute your query
                            updateCmd.ExecuteNonQuery();
                            Label1.Visible = true;
                        }
                    }
            }
    }
}

您也可以尝试这个不依赖于命名参数的版本:

// Create your connection
using (var conn = new OleDbConnection(@"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\Users\Lenovo\Desktop\PlacementCell\PlacementCell\Database.mdb"))
{
    // Build your first query
    var query = "SELECT * FROM Student_Login WHERE Password = ?";
    // Create a command to execute your query
    using (var cmd = new OleDbCommand(query, conn))
    {
            // Open your connection
            conn.Open();
            // Add your parameter (prevents SQL Injection and syntax issues)
            cmd.Parameters.AddWithValue("@password", TextBox1.Text);

            // Execute your query into a reader
            using (var dr = cmd.ExecuteReader())
            {
                    // Go through each row
                    while(dr.Read())
                    {
                        // Build an update query
                        var updateQuery = "UPDATE Student_LogIn SET Password = ? WHERE Password = ?";
                        // Build a new command to execute
                        using (var updateCmd = new OleDbCommand(updateQuery, conn))
                        {
                            // Set a parameter and execute
                            updateCmd.Parameters.AddWithValue("@password", TextBox3.Text);
                            updateCmd.Parameters.AddWithValue("@oldPassword", TextBox1.Text);
                            // Execute your query
                            updateCmd.ExecuteNonQuery();
                            Label1.Visible = true;
                        }
                    }
            }
    }
}

答案 1 :(得分:0)

你可以尝试一次......

updateCmd.Parameters.Add(" @ password",SqlDbType.VarChar); updateCmd.Parameters [" @ password"]。Value = TextBox3.Text;

updateCmd.Parameters.Add(" @ oldPassword",SqlDbType.VarChar); updateCmd.Parameters [" @ oldPassword"]。Value = TextBox1.Text;

相关问题
最新问题