Home/ Questions/Q 6602035
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T18:49:45+00:00

I’ve got a function that stores temporary information generated for every user authenticated in

  • 0

I’ve got a function that stores temporary information generated for every user authenticated in the system. This ‘session ID’ is a string stored in a Sessions table, along the original ID of the user which authenticated and was given said session identifier.

The function to remove/deauthenticate/invalidate an existing session first checks if the user exists through another method implemented as follows:

        int userId = 0;
        SqlCeCommand cmd = new SqlCeCommand();
        SqlCeParameterCollection sqlParams = cmd.Parameters;
        sqlParams.AddWithValue("@User", userName);
        cmd.Connection = this.conn;
        cmd.CommandText = "SELECT Id FROM Users WHERE (Username = @User)";

        userId = (int) cmd.ExecuteScalar()
        cmd.Dispose();

Afterwards it tries to find an existing session for that user, which is to be removed (via a different method again):

        SqlCeCommand cmd = new SqlCeCommand();
        SqlCeParameterCollection sqlParams = cmd.Parameters;
        sqlParams.AddWithValue("@SID", mysession);
        sqlParams.AddWithValue("@UID", myuserid);

        cmd.Connection = this.Connection;
        cmd.CommandText = "SELECT Id FROM UserSessions WHERE (SessionID = @SID) AND (User_Id = @UID)";
        int foo = cmd.ExecuteNonQuery();

…which fails. No exception is raised unfortunately. So I added an insecure equivalent using a non parametrized query string:

        cmd.CommandText = String.Format("SELECT Id FROM UserSessions WHERE (SessionID = '{0}') AND (User_Id = {1})", mysession, myuserid);
        cmd.Prepare();
        int bar = cmd.ExecuteNonQuery();

Added a breakpoint, paused, copy pasted the query into the Visual Studio Query tool and voila, it indeed worked. But after continuing, that query in the code failed as well. I’m unable to find the culprit of this annoying issue since no exception is raised and everything seems correct. The data exists, the parameters are provided in proper types (string and int) and I’m out of things to check. The connection is open and so forth.

Any clues from anyone around? Thanks!

Update: Mea culpa, missed the fact that the function used ExecuteScalar until I modified it for testing. It does use ExecuteScalar and returns null, just in case.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You’re using ExecuteNonQuery:

    int foo = cmd.ExecuteNonQuery();

    … but you’re clearly trying to execute a query (a SELECT)! Use ExecuteScalar again, as you did in the first code, or ExecuteReader and look through the results appropriately. If you stick with ExecuteScalar, you should first check whether the result is null to indicate no results.

    ExecuteNonQuery returns the number of rows affected by an UPDATE/INSERT/DELETE command – which is what it’s intended for. I suspect it’s returning -1 for you, as documented:

    For UPDATE, INSERT, and DELETE statements, the return value is the number of rows affected by the command. When a trigger exists on a table being inserted or updated, the return value includes the number of rows affected by both the insert or update operation and the number of rows affected by the trigger or triggers. For all other types of statements, the return value is -1. If a rollback occurs, the return value is also -1.

    (Emphasis mine.)

    • 0