Hey all,

A quick question, i've been picking my brain and browsing the net for a few hours now and still can't get any further.
I have a simple C# windows form which acts as a login, but also has a form to change the password of a user. When you click on Change Password the form loads with a text box for username, current password, new pass and confirm new pass.

I am storing these in a SQL Database which I created in VS2008.

The code is as follows so far. (connection string part with try/catch deleted, it works, and is at the top of this void)

private void btnConfirm_Click(object sender, EventArgs e)

            string username = txtUser.Text;
            string password = txtCurrPass.Text;
            string newPassword = txtNewPass.Text;
            string confNewPassword = txtConfirmNewPass.Text;
            string sqlquery = "UPDATE users SET username = " + txtUser.Text + " AND password = " + txtConfirmNewPass.Text + "'";
 
            SqlCommand cmd = new SqlCommand(sqlquery, cn);
            cmd.Connection = cn;
            SqlDataReader reader = null;
            reader = cmd.ExecuteReader();
            while (reader.Read())
            {
                if ((txtNewPass.Text == reader["newPassword"].ToString()) & (txtConfirmNewPass.Text == (reader["confNewPassword"].ToString())))
                {
                    MessageBox.Show("Password Changed!");
                }
            }
        }

Ideally I would like the user to enter their username and current password, then their new pass and then confirm their new password. Then when they hit the button, it checks if the two new passwords match and if they do it updates the data in the database.

Break your code up into the steps you need to do and solve each one:
1) Verify that the two new password fields match
2) Verify that the entered userid/password combination is valid
3) Change the password to the new password

You are almost there :)

I forgot to add in that post that an error is occuring when I hit my confirm button, at the moment i'm just seeing if I can get it update the password in the database, if that works then i'll be making sure the user/original pass are valid combos.

This is the error:

Incorrect syntax near the keyword 'AND'.
Unclosed quotation mark after the character string ''.

This is the problem line: string sqlquery = "UPDATE users SET username = " + txtUser.Text + " AND password = " + txtConfirmNewPass.Text + "'"; Notice you only have one ' mark in the entire line. You need to change it to string sqlquery = "UPDATE users SET username = '" + txtUser.Text + "' AND password = '" + txtConfirmNewPass.Text + "'";

This is the problem line: string sqlquery = "UPDATE users SET username = " + txtUser.Text + " AND password = " + txtConfirmNewPass.Text + "'"; Notice you only have one ' mark in the entire line. You need to change it to string sqlquery = "UPDATE users SET username = '" + txtUser.Text + "' AND password = '" + txtConfirmNewPass.Text + "'"; But you should be using parameterized queries, but we'll leave that for when you have your code working. Then we can improve upon it :)

Edited 5 Years Ago by Momerath: n/a

Still giving the "Incorrect syntax near the keyword 'AND'." error highlighting the line:

reader = cmd.ExecuteReader();

EDIT: Also just seen the following post, will look at parameterized queries now :)

Have you ever noticed that a WHERE clause is missing.

string username = txtUser.Text;
   string password = txtCurrPass.Text;
   string newPassword = txtNewPass.Text;
   string confNewPassword = txtConfirmNewPass.Text;
   string sqlquery = "UPDATE [users] SET password=@newpass where username=@username AND password=@password";
 
  SqlCommand cmd = new SqlCommand(sqlquery, cn);
  cmd.Parameters.AddWithValue("@newpass",txtConfirmNewPass.Text);
  cmd.Parameters.AddWithValue("@username",txtUser.Text);
  cmd.Parameters.AddWithValue("@password",txtCurrPass.Text);

 cmd.Connection = cn;
 cn.Open()
 cmd.ExecuteNonQuery();
 cn.close();

After seeing your post and playing around with a few bits of code the updating the password now works, although it doesnt confirm in msgbox but that is irrelevant for now.

If I were to have a text box where you enter a username, and click a button to retrieve a password, could it be done with a message box coming up stating the pass of that user? At some point ill make a proper retrieval email system but just for now, didn't know if it was possible to display ones pass in a msgbox.

paddypowa,

You could have a system that displayed a password in a messagebox or email the password, but in my experience and I'm sure others will agree...storing passwords in a database in plain text is a bad idea and could potentially be a security issue. Strike that...it IS a security issue.

I'm assuming that since you are having users create usernames and passwords that there is, or there is the potential to be, sensitive (however you wish to define that) data stored somewhere in the application. User based systems usually are designed so that certain users see only certain things. Storing passwords in plain text (unencrypted) could allow someone to "sniff" the packets with passwords if the data is transmitted over a network, or if someone gains physical access to the SQL server, they could download and see all the usernames and passwords in plain text. Not cool.

A much better idea, in my opinion, is to not allow for password retrieval, but have a system in place to reset passwords, by utilizing a secret question/answer, or simply have the request send a email to the user with a new temporary password or something.

I would highly recommend you encrypt your passwords in some fashion...just a FYI so you don't end up with security concerns later.

Check out the System.Security.Cryptography Namespace if you are unaware of it. I'd go with a hash type of encryption such as any of the SHA-2 options (SHA256, SHA512 etc...) but again, it's just a casual observation :)

Comments
Imho, worth more points than -1 :)
This article has been dead for over six months. Start a new discussion instead.