System.NullReferenceException: 'Object reference not set to an instance of an object.' What is the Issue here?

Question

The error says System.Data.Common.DbCommand.ExecuteScalar(...) returned null.

protected void Button3_OnClick(object sender, EventArgs e)
            {
    
                SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["RegisterConnectionString"].ConnectionString);
            conn.Open();
            string checkuser = "select count(*) from [User] where emailAddress='" + TextBox6.Text + "'";
            SqlCommand cmd = new SqlCommand(checkuser, conn);
            int temp = Convert.ToInt32(cmd.ExecuteScalar().ToString());
            conn.Close();
            if (temp >= 1)
            {
                conn.Open();
                string checkPasswordQuery = "select password from [User] where emailAddress='" + TextBox7.Text + "'";
                SqlCommand Passcmd = new SqlCommand(checkPasswordQuery, conn);
                string password = Passcmd.ExecuteScalar().ToString();
                if (password == TextBox7.Text)
                {
                    Session["New"] = TextBox6.Text;
                    Response.Write("Password is correct");
                    Response.Redirect("WebForm1.aspx");
                }
                else
                    Response.Write("Password is incorrect");

            }

            else
                Response.Write("Username not found");
        }
    }
}

It is said that the error occurs on the line which is written as : string password = Passcmd.ExecuteScalar().ToString();
The following is my Web Config :

    <configuration>
  <connectionStrings>
    <add name="RegisterConnectionString" connectionString="Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=|DataDirectory|\User.mdf;Integrated Security=True"
      providerName="System.Data.SqlClient" />
  </connectionStrings>
  <system.web>
    <compilation debug="true" targetFramework="4.7.2" />
    <httpRuntime targetFramework="4.7.2" />
  </system.web>
    <system.webServer>

https://stackoverflow.com/questions/1054022/best-way-to-store-password-in-database — mjwills, Jul 15 '21 at 22:35
DO NOT EVER concatenate SQL queries. You are wide open for SQL Injection attacks. Use parameterised queries instead. NEVER store passwords in plain text. Also learn about the `using` statement and how it is used with objects that implement `IDisposeable` — Jon P, Jul 16 '21 at 00:22
There's a huge bunch of issues with your code: **Parameterize your queries** or you leave yourself open to injection attacks and errors. `Convert.ToInt32(cmd.ExecuteScalar().ToString())` is just silly, just cast it `(int) cmd.ExecuteScalar()`. Connection and command objects need to be in `using` blocks. Don't store passwords anywhere, and don't pass them back and forwards to/from the server, instead salt-and-hash, and compare the hashes. You can check the email address and password/hash in one query, you don't need to go back to the server twice. — Charlieface, Jul 16 '21 at 00:26
I truly agree to you about storing password and concatenating sql quaries.. However, the code listed here is for educational purposes and not deployed in real life. Thank you for your concern. — Samuel Prajasantosa, Jul 16 '21 at 01:38
`However, the code listed here is for educational purposes` Why educate yourself in the _wrong_ way to do things? — mjwills, Jul 16 '21 at 10:17

score 0 · Accepted Answer · answered Jul 15 '21 at 21:18

You are getting the error because you are calling .ToString() on ExecuteScaler which has returned 'null'.

Based on that, the question is why is it giving you 'null'?

The following is somewhat speculative, based on our code, but ...

Your first query (which seems to work) uses 'TextBox6.Text' as the email address, while your second query (which doesn't work) uses 'TextBox7.Text' for the email address.

If this isn't intentional, (i.e. if TextBox6.Text is the correct box for the email address) then I would suggest that your second query should be:

string checkPasswordQuery = "select password from [User] where emailAddress='" + TextBox6.Text + "'";

Oh yeah, I should've used TextBox6.Text since it is the correct box for email address.. What a silly mistake. Thank you very much — Samuel Prajasantosa, Jul 16 '21 at 06:09

Thomson Mixab · Answer 2 · 2021-07-16T06:06:06.187

Try comment out the second conn.Open() and con.close() in the code.

protected void Button3_OnClick(object sender, EventArgs e)
            {
    
                SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["RegisterConnectionString"].ConnectionString);
            conn.Open();
            string checkuser = "select count(*) from [User] where emailAddress='" + TextBox6.Text + "'";
            SqlCommand cmd = new SqlCommand(checkuser, conn);
            int temp = Convert.ToInt32(cmd.ExecuteScalar().ToString());
            // conn.Close();  ********* comment out ***********
            if (temp >= 1)
            {
                // conn.Open();  ********* comment out ***********
                string checkPasswordQuery = "select password from [User] where emailAddress='" + TextBox7.Text + "'";
                SqlCommand Passcmd = new SqlCommand(checkPasswordQuery, conn);
                string password = Passcmd.ExecuteScalar().ToString();
                if (password == TextBox7.Text)
                {
                    Session["New"] = TextBox6.Text;
                    Response.Write("Password is correct");
                    Response.Redirect("WebForm1.aspx");
                }
                else
                    Response.Write("Password is incorrect");

            }

            else
                Response.Write("Username not found");
        }
    }
}

Didn't work, I tried and it said it requires open connection. — Samuel Prajasantosa, Jul 16 '21 at 05:40

System.NullReferenceException: 'Object reference not set to an instance of an object.' What is the Issue here?

2 Answers2