You don't appear to have a method called
ExecuteQuery
Plus as _Zorro_ has said - you have left yourself wide open to SQL Injection attacks - see
http://blog.codinghorror.com/give-me-parameterized-sql-or-give-me-death/[
^]
Use parameterized queries and the appropriate method e.g.
string sql = "Select count(*) from Table22 where EmailAddress = @TextBoxEA AND Password=@TextBoxPW";
SqlCommand newCommand = new SqlCommand(sql);
newCommand.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
newCommand.Parameters.Add("@TextBoxPW", TextBoxPW.Text);
int retValue = (int)newCommand.ExecuteScalar();
and/or
string SQL = "Update Table22 SET isLocked = true where EmailAddress = @TextBoxEA";
SqlCommand newCommand1 = new SqlCommand(SQL);
newCommand1.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
int rowsAffected = newCommand1.ExecuteNonQuery();
[EDIT in response to OP comment]
Here is an example of how I might integrate the solution above into your code, with some refactoring. I have omitted the error handling (try-catch) and warning this code is untested.
protected void Page_Load(object sender, EventArgs e)
{
TextBoxEA.Focus();
if (!IsPostBack)
{
Session["counter"] = 0;
}
else
{
Session["counter"] = Convert.ToInt32(Session["counter"]) + 1;
using (SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["HotConnectionString"].ConnectionString))
{
con.Open();
string cmdStr = "Select count(*) from Table22 where EmailAddress=@TextBoxEA";
SqlCommand sqlCmd = new SqlCommand(cmdStr);
sqlCmd.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
int userExists = (int)sqlCmd.ExecuteScalar();
cmdStr = "Select count(*) from Table22 where EmailAddress = @TextBoxEA AND Password=@TextBoxPW";
sqlCmd = new SqlCommand(cmdStr);
sqlCmd.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
sqlCmd.Parameters.Add("@TextBoxPW", TextBoxPW.Text);
int correctPassword = (int)sqlCmd.ExecuteScalar();
string msg = "";
if (userExists == 0)
msg = "alert('User Name Does Not Exist You Must Fill Out Registration First');";
else if (correctPassword == 0)
msg = "alert('Invalid UserName / Password');";
else if (Convert.ToInt32(Session["counter"]) >= 3)
{
msg = "alert('The Account is Locked');";
cmdStr = "Update Table22 SET isLocked = true where EmailAddress = @TextBoxEA";
sqlCmd = new SqlCommand(cmdStr);
sqlCmd.Parameters.Add("@TextBoxEA", TextBoxEA.Text);
sqlCmd.ExecuteNonQuery();
}
if (msg.Length > 0)
{
ScriptManager.RegisterStartupScript(this, this.GetType(), "script", msg, true);
TextBoxEA.Text = string.Empty;
}
}
}
}