0

我有一个登录winform,我把更改密码放在里面。我有此代码用于更新我的数据库中的密码信息。但如果它是真的,它不会读取我的数据读取器,但如果它是假的,它会读取它,并更改我数据库中的密码。

    public void ChangePass()
    {
        sc.Open();
        try
        {
            if (_oldpass == "" || _newpass == "" || _conpass == "")
            {
                string message = "Must fill up all the fields!";
                string title = "Voting System Error Message";
                MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
            }
            else
            {
                cmd = new SqlCommand("SELECT password FROM TableLogin WHERE password = '" + _oldpass + "'", sc);

                SqlDataReader dr = cmd.ExecuteReader();

                if (dr.Read() == true)
                {
                    sc.Close();
                    if (_newpass == _conpass)
                    {
                        sc.Open();
                        cmd = new SqlCommand("UPDATE TableLogin SET password = '" + _newpass + "' WHERE username = 'admin'", sc);

                        SqlDataReader sdr = cmd.ExecuteReader();
                        if (sdr.Read() == true) 
                        {
                            MessageBox.Show("Successfully Changed!"); 
//This part does not read if true.. but if sdr.Read() == false it changes the password from my database.
                        }
                    }
                    else
                    {
                        string message = "New Password and Confirm Password does not match!";
                        string title = "Voting System Error Message";

                        MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
                    }
                }
                else
                {
                    string message = "Wrong Old Password!";
                    string title = "Voting System Error Message";

                    MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
                }
            }
        }
        catch (Exception ex)
        {
            MessageBox.Show(ex.Message);
        }
        finally
        {
            sc.Close();
        }
    }

我不明白,为什么?

4

2 回答 2

1

我想Updatesql 中的语句不会返回记录,所以 read 不会返回true。你应该ExecuteNonQuery改用。

if (cmd.ExecuteNonQuery() > 0) 
{
    MessageBox.Show("Successfully Changed!"); 
}

顺便说一句,评论中指出使用参数化查询来防止 sql 注入。

于 2013-09-25T21:27:57.750 回答
0

以下是CW,因为它真的是一个很大的评论。我会对您的代码进行许多更改。以下是一些重要的:

    public void ChangePass()
    {
        // Not very important, but this doesn't need to be in the try/catch
        if (_oldpass == "" || _newpass == "" || _conpass == "")
        {
            var message = "Must fill up all the fields!";
            var title = "Voting System Error Message";
            MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
            return;
        }

        try
        {
            sc.Open();
            // SqlCommand, SqlDataReader, and anything else you create that implements
            // IDisposable, needs to be in a using block
            using (var cmd = new SqlCommand("SELECT password FROM TableLogin WHERE password = @Password", sc))
            {
                // As others have said, use parameters to avoid SQL Injection Attacks
                cmd.Parameters.AddWithValue("@Password", _oldpass);

                using (var dr = cmd.ExecuteReader())
                {
                    if (dr.Read()) // You don't need == true
                    {
                        if (_newpass == _conpass)
                        {
                            // Separate SqlCommand and use a using block
                            using (
                                var updateCommand =
                                    new SqlCommand(
                                        "UPDATE TableLogin SET password = @Password WHERE username = 'admin'",
                                        sc))
                            {
                                // and a parameter
                                updateCommand.Parameters.AddWithValue("@Password", _newpass);

                                // Use ExecuteNonQuery, and check affected rows
                                var rowsAffected = updateCommand.ExecuteNonQuery();
                                if (rowsAffected == 1)
                                {
                                    MessageBox.Show("Successfully Changed!");
                                }
                            }
                        }
                        else
                        {
                            var message = "New Password and Confirm Password does not match!";
                            var title = "Voting System Error Message";

                            MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
                        }
                    }
                    else
                    {
                        var message = "Wrong Old Password!";
                        var title = "Voting System Error Message";

                        MessageBox.Show(message, title, MessageBoxButtons.OK, MessageBoxIcon.Error);
                    }
                }
            }
        }
        catch (Exception ex)
        {
            // For troubleshooting purposes, display the entire exception
            MessageBox.Show(ex.ToString());
        }
        finally
        {
            sc.Close();
        }
    }
于 2013-09-25T22:00:08.437 回答