I have a login form coded as :

Imports System.Data.OleDb
Public Class Form2
    Dim ctr As Integer
Private Sub Ok_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        Dim con As New OleDbConnection("Provider=Microsoft.jet.oledb.4.0;data source=C:/Users/Space Era/Documents/User.mdb")
        Dim cmd As OleDbCommand = New OleDbCommand("SELECT * FROM Users WHERE userid = '" & TextBox2.Text & "' AND password = '" & TextBox1.Text & "' ", con)
        con.Open()
        Try
            Dim sdr As OleDbDataReader = cmd.ExecuteReader()
            ' If the record can be queried, Pass verification and open another form.  
            If (sdr.Read() = True) Then

                Form7.Show()
                Me.Hide()
            Else


                MessageBox.Show("Invalid username or password!")
            End If
        Catch ex As Exception

            MsgBox(ex.Message, MsgBoxStyle.Critical, "Oledb Error")

        End Try


    End Sub
    ' Cancel button  
    Private Sub Cancel_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Cancel.Click
        Me.Close()



    End Sub

I wish to create a form for changing the password ,i.e., stored in the access database...any relevant replies would be appreciated..

Edited 5 Years Ago by Nick Evan: Fixed CODE-tags .... again....

1st of all your login form is weak. It can be bypassed in half a second. Try retrieving a count and verify that the count returned is equal to 1. This way even if the query is bypassed, you won't give access further down.

as for changing password, copy your form into a new one, add 2 textboxes for new password and confirm new password, verify that the new passwords match and change your query to

"(update Users SET password = '" & TextBox2.text & "' WHERE userid = '" & TextBox2.Text & "' AND password = '" & TextBox1.Text & "' ", con)

Execute it using cmd.ExecuteNonQuery

You can check back that the password has changed by using the select statement that you are using in the above form and msgbox the user that the password has changed.

Edited 5 Years Ago by adam_k: n/a

by getting a condition that will always result in true as part of the where.
Giving something like this in a forum is like putting everybody's apps in danger, so I'll keep the details to myself for now.

Trust me this query is weak. Use my advice if this is something you'll develop and also use QUOTENAME SQL function if you are dead serious about security.

PS: Selecting everything is bad by it's own, even if further checks are performed. All it takes is an ethereal on the network and all passwords are at hand, including admin ones.

Edited 5 Years Ago by adam_k: n/a

Imports System.Data.OleDb
Public Class Form8

    Private Sub Button2_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button2.Click
        Me.Close()
    End Sub

    Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        Dim con As New OleDbConnection("Provider=Microsoft.jet.oledb.4.0;data source=C:/Users/Space Era/Documents/User.mdb")
        Dim cmd As OleDbCommand = New OleDbCommand("update users SET password = '" & TextBox1.Text & "' WHERE userid = '" & TextBox4.Text & "' AND password = '" & TextBox2.Text & "' ", con)

        con.Open()
        Try

            If (TextBox1.Text = TextBox3.Text) Then
                cmd.ExecuteReader()
                MsgBox("password changed")

            Else


                MessageBox.Show("Invalid username or password!")
            End If
        Catch ex As Exception

            MsgBox(ex.Message, MsgBoxStyle.Critical, "Oledb Error")

        End Try

    End Sub
End Class

Output:Syntax error in update statement

Edited 3 Years Ago by mike_2000_17: Fixed formatting

cmd.ExecuteReader()

This won't work with an update statement, you need a nonquery.

On a different note: If you don't want to allow blank passwords, you might need to check the new pass value.

Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        
        If (TextBox1.Text = TextBox3.Text) Then
            Try
                Dim con As New OleDbConnection("Provider=Microsoft.jet.oledb.4.0;data source=C:/Users/Space Era/Documents/User.mdb")
                Dim cmd As OleDbCommand = New OleDbCommand("Update Users Set password = '" & TextBox1.Text & "' where userid = '" & TextBox4.Text & "' ", con)

                con.Open()


                cmd.ExecuteNonQuery()
                MsgBox("password changed")



            Catch ex As Exception

                MsgBox(ex.Message, MsgBoxStyle.Critical, "Oledb Error")

            End Try
        End If

    End Sub
End Class

Output: syntax error in update statement

how do i correct this??

Edited 5 Years Ago by bigzos: n/a

cmd.ExecuteReader()

This won't work with an update statement, you need a nonquery.

On a different note: If you don't want to allow blank passwords, you might need to check the new pass value.

I have modified my code to the following.....still i am getting the same syntax error in update statement..i would be greatful for any concerned suggestions..i need to complete this module quickly

Public Class Form8

    Private Sub Button2_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button2.Click
        Me.Close()
    End Sub

    Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        If TextBox1.TextLength < 5 Then
            MsgBox("The New Password Should be of Atleast 5 Characters")
            TextBox1.Text = ""
            TextBox3.Text = ""
        ElseIf TextBox2.Text = TextBox1.Text Then
            MsgBox("The New Password is Same As Old Password")
            TextBox1.Text = ""
            TextBox1.Focus()
        ElseIf (TextBox1.Text = TextBox3.Text) Then

            Try
                Dim con As New OleDbConnection("Provider=Microsoft.jet.oledb.4.0;data source=C:/Users/Space Era/Documents/User.mdb")
                Dim ds1 As New DataSet

                Dim da1 As New OleDbDataAdapter("select * from Users where userid='" & Trim(TextBox4.Text) & "'and password='" & Trim(TextBox2.Text) & "'", con)

                If da1.Fill(ds1) Then

                    Dim ra As Integer
                    Dim cb As OleDbCommand
                    con.Open()
                    cb = New OleDbCommand("Update Users Set password='" & TextBox1.Text & "' where userid='" & TextBox4.Text & "'", con)
                    ra = cb.ExecuteNonQuery()
                    MessageBox.Show("Password Changed Successfully,Now Login into System")
                    con.Close()
                    Form2.Show()
                    Me.Hide()
                Else
                    MsgBox("Invalid Password or Username")

                End If

            Catch ex As Exception
                MsgBox(ex.Message)
            End Try
        End If
       
    End Sub
End Class

made a few changes in the sql query string and it worked...yay...thnx all..

This question has already been answered. Start a new discussion instead.