念修改登陆用户的state状态以实现，异地登陆的限制，登陆+验证码已经实现，就状态修改不过来，求解

求耐心的前辈指点啊，现在脑子有点乱
修改状态的方法DAL层：
public OAUsers UpdateStateByUserName(string where)
        {
            try
            {
                StringBuilder strSql = new StringBuilder();
                strSql.Append("update OAUser");
                strSql.Append(" set state=1");
                if (where.Trim() != null)
                {
                    strSql.Append(" where username=@username");
                }
                SqlParameter[] para = 
                                 { 
                                  new SqlParameter("@username",SqlDbType.NVarChar,50)
                                  };
                OAUsers use = new OAUsers();
                para[0].Value = use.State;
                int res = DbHelperSQL.ExecuteSql(strSql.ToString(), para);
                if (res > 0)
                {
                    return use; ;
                }
                else
                {
                    return null;
                }
            }
            catch (Exception ex)
            {
                
                throw new Exception(ex.ToString());
            }
        }

修改状态的方法BLL层：
        public OAUsers UpdateStateByUserName(string where)
        {
            return dal.UpdateStateByUserName(where);
        }

登陆按钮的代码：
        protected void btnLogin_Click(object sender, EventArgs e)
        {
            var lgname=loginname.Text.Trim().ToString();
            var lgpass=pass.Text.Trim().ToString();
            if ( lgname.Length== 0 || lgpass.Length == 0)
            {
                Page.ClientScript.RegisterStartupScript(this.GetType(), "", "<script language=javascript> window.alert('用户名或密码不能为空！');</script>");
            }
            else
            {
                OAUserbll bll = new OAUserbll();
                string sqlWher = " username= '"+lgname+"'";

                DataSet ds = bll.GetUserByLoginName(sqlWher);
                if (ds.Tables[0].DefaultView.Count > 0)
                {
                    if (lgpass == ds.Tables[0].Rows[0]["userpass"].ToString())
                    {
                        var check=txtVcode.Text.Trim().ToString().ToLower();
                        var num = Session["VNum"].ToString().ToLower();
                        if (check==num)
                        {
                            Session["lgname"] = lgname;
                            HttpContext.Current.Response.Write("提交成功！");
                            [color=#FF0000]bll.UpdateStateByUserName(sqlWher);[/color]                            Response.Write("<script>window.setTimeout('myfun()',1000)</script>");
                            Response.Write("<script>function myfun() { window.location.href='index.aspx'}</script> ");
                            Response.End();
                        }
                        else
                        {
                            Page.ClientScript.RegisterStartupScript(this.GetType(), "", "<script language=javascript> window.alert('验证码不正确！');</script>");
                        }
                        
                    }
                    else
                    {
                        Page.ClientScript.RegisterStartupScript(this.GetType(), "", "<script language=javascript> window.alert('密码错误，登陆失败！');</script>");
                        this.pass.Text = "";
                    }
                }
                else
                {
                    Page.ClientScript.RegisterStartupScript(this.GetType(), "", "<script language=javascript> window.alert('该用户名不存在！');</script>");
                    ClearPageAllTextBox();
                
                }
            }
        }