0

I'm trying to change password for currently logged user and I would like to know how to manage that?

I have tried this query but each time when I pass good password combination or bad one(in textBox1) I get positive response.

How to catch negative update from database in this case? 

SqlConnection conn= new SqlConnection(Conn.CS);
SqlCommand comm= new SqlCommand();

comm.CommandText= "update User set Pass= '" + textBox2.Text + "' where Pass= '" + textBox1.Text + "' and id=" + Korisnik.ID + "";
comm.Connection = konekcija;

try
{
   conn.Open();
   comm.ExecuteNonQuery();
   MessageBox.Show("Success yaaay!", "Info");
}
catch (Exception ex)
{
   MessageBox.Show(ex.Message);
}
finally
{
   conn.Close();
}
HaveNoDisplayName
  • 8,291
  • 106
  • 37
  • 47
Coa
  • 1
  • 1
  • 2
    what do you mean by negative update? And, you'll be doing yourself a favor by avoiding concatenating paramter values directly in the sql string. Use parameter binding instead. – sstan Aug 17 '15 at 18:02
  • Please see [this](http://stackoverflow.com/a/7505842/5056245) post about formatting SQL query properly. You are opening yourself to SQL Injection attack. – balu Aug 19 '15 at 18:26

1 Answers1

1

ExecuteNonQuery returns the number of affected records so it would return 0 if the userid / password combination does not exist.

Change to this:

        comm.CommandText= "update User set Pass= '" + textBox2.Text + "' where Pass= '" + textBox1.Text + "' and id=" + Korisnik.ID + "";
        comm.Connection = konekcija;

        try
        {
            conn.Open();
            int noOfRecordsUpdated = comm.ExecuteNonQuery();
            if (noOfRecordsUpdated > 0) {
               MessageBox.Show("Success yaaay!", "Info");
            } else {
               MessageBox.Show("No dice", "Info");
            }

        }
        catch (Exception ex)
        {
            MessageBox.Show(ex.Message);
        }
        finally
        {
            conn.Close();
        }
user469104
  • 1,206
  • 12
  • 15