equals in c# is true
Question
I am doing webmethod in c#. On debugging,
(chk.Equals(oldpass))
the query shows same value on both left and right side.
But still,instead of going inside if,execution moves to else part showing return statement. Foll. is my code.
[WebMethod (Description="for change in password")]
public string update(string authenid,string oldpass,string newpass)
{
SqlConnection conn = new SqlConnection("Data Source=.\\SQLEXPRESS;AttachDbFilename=D:\\Workspace\\visual studio workspace\\Tmrepo\\App_Data\\tmrepo.mdf;Integrated Security=True;User Instance=True");
try
{
conn.Open();
string chk = "select pwd from client where authenid = '"+ @authenid +"' ";
if(chk.Equals(oldpass))
{
string update = "update client set pwd=@newpass where pwd=@oldpass and authenid=@authenid";
SqlCommand cmd = new SqlCommand(update, conn);
cmd.Connection = conn;
cmd.Parameters.AddWithValue("@authenid", authenid);
cmd.Parameters.AddWithValue("@oldpass", oldpass);
cmd.Parameters.AddWithValue("@newpass", newpass);
cmd.ExecuteNonQuery();
}
else
{
return "invalid oldpass";
}
conn.Close();
return newpass;
}
catch (Exception ex)
{
return ex.ToString();
}
}
Is anything wrong in this code? I am ac# newbie. Thanks.
3 answers
solution1
5 2013-02-15 07:34:40
You haven't executed the command: your old password chk is: "select pwd from client where authenid = '"+ @authenid +"' ";, which is an unlikely password. Look into ExecuteScalar, for example.
Additional thoughts:
- parameterize the sql - don't concatenate the id in; it should be
"select pwd from client where authenid = @authenid";where you are adding a parameter namedauthenidwith the value fromauthenid. You get this right in the second ADO.NET query. - passwords should be salted and hashed: not stored directly; you should never be able to extract and/or decrypt a password
(external edits)
Update : Execute code as "select pwd from client where authenid = '"+ @authenid +"' "; because "select pwd from client where authenid = '@authenid' "; returns null value.
update2 : cmd.ExecuteScalar(); made it work. And remove cmd.ExecuteNonQuery();
solution2
4 2013-02-15 07:31:46
what your code doing is comparing select pwd from client where authenid = some_value against the value of oldpass, which will be false!
Fixed Code Logic :
string oldpass = "somehing";
string authenid = "pass_to_test";
string sql = string.Format("select pwd from client where authenid = '{0}' ", authenid);
string chk = null;
SqlCommand cmd = new SqlCommand(update, conn);
var reader = cmd.ExecuteReader();
if (reader.Read())
{
// has record with username
chk = reader.GetString(0);
if (chk.Equals(oldpass))
{
string update = "update client set pwd=@newpass where pwd=@oldpass and authenid=@authenid";
cmd.CommandText = update;
cmd.Connection = conn;
cmd.Parameters.AddWithValue("@authenid", authenid);
cmd.Parameters.AddWithValue("@oldpass", oldpass);
cmd.Parameters.AddWithValue("@newpass", newpass);
cmd.ExecuteNonQuery();
}
else
{
return "invalid oldpass";
}
}
else
{
// not a valid username
}
reader.Close();
reader.Dispose();
solution3
1 ACCPTED
Finally,solved!!! I used dataset. The second method with perfectly correct code is :
string chk = "select pwd from client where authenid = @authenid";
SqlCommand cmd1 = new SqlCommand(chk , conn);
cmd1.Parameters.AddWithValue("@authenid", authenid);
DataSet ds = new DataSet();
SqlDataAdapter da = new SqlDataAdapter(cmd1);
da.Fill(ds);
int cnt = ds.Tables[0].Rows.Count;
if (cnt > 0)
{
if (ds.Tables[0].Rows[0]["pwd"].ToString().Equals(oldpass))
{
string update = "update client set pwd=@newpass where pwd=@oldpass and authenid=@authenid";
SqlCommand cmd = new SqlCommand(update, conn);
cmd.Connection = conn;
cmd.Parameters.AddWithValue("@authenid", authenid);
cmd.Parameters.AddWithValue("@oldpass", oldpass);
cmd.Parameters.AddWithValue("@newpass", newpass);
cmd.ExecuteNonQuery();
}
}
Hope it helps other newbies like me!!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.