0

So i am trying to change the password of a user in my vb.net project that i been working on. but everytime i run my code i get me catch "Something went wrong". i can't figur out why. i am using a MYSQL database. can anybody help me? 

        Try
        reader = cmd.ExecuteReader()
        Dim found As Boolean = False
        Do While reader.Read()

            If username = DirectCast(reader("username"), String) Then
                If password = DirectCast(reader("password"), String) Then
                    found = True
                Else
                    MessageBox.Show("username and password do not match")
                End If
            End If



            If found = True Then
                Dim cmd2 As New MySqlCommand
                Dim insertStatment As String = "UPDATE login set password = '" + 
               newpassword + "' where username = '" + username + "'" , con)


                cmd2.ExecuteNonQuery()
                MessageBox.Show("password change successfully")

                'End If
            End If
        Loop

    Catch
        MessageBox.Show("Something went wrong")
user2264202
  • 63
  • 4
  • 9
  • try remove the try ... catch and run the app in debug mode. That way, you'll be able to see which line produces the error. – ajakblackgoat Apr 27 '13 at 17:41
  • another thing is, why do you need to open datareader and check each rows for the username & password match? You can just run `select ... where username=? and password=?` and see if it returns any row. – ajakblackgoat Apr 27 '13 at 17:44
  • The `Try Catch` statement you have is swallowing the exception with all the information to answer this question (like a message and a stack trace). – just.another.programmer Apr 27 '13 at 23:44

1 Answers1

0

You should avoid to use string concatenation to build sql statements. Doing in this way leads the path to errors like when you have a username/password with single quote characters or worst if you have a smart and malicious user that writes something like this in your input textboxes

So you should write

Dim insertStatment As String = "UPDATE login set password = @p1 where username = @p2"
Dim cmd2 As New MySqlCommand(insertStatment, con)
cmd2.Parameters.AddWithValue("@p1", password)
cmd2.Parameters.AddWithValue("@p2", username)
cmd2.ExecuteNonQuery()

Another possible cause of your error is the handling of the MySqlConnection. In your code there is no Open of the connection, so I assume that it is open, but this leads to another problem of your code:

Do not catch exception and then print unusable error message.
If you really want to give a message try to print the error message given in the exception

Catch e As Exception
    MessageBox.Show("Something went wrong: " & Environment.NewLine & e.Message)

This will give a pretty clear message that explains what the problem is.

Community
  • 1
  • 1
Steve
  • 213,761
  • 22
  • 232
  • 286
  • he's using Mysql database. Using password as field name in select statement is allowed even without encapsulation. Another thing is, encapsulation in mysql is reverse quote `\`` – ajakblackgoat Apr 27 '13 at 17:39
  • Yes I have noticed the tag now, removed the part regarding the encapsulation, but the use of parametrized query could solve its problems if there is some invalid chars in its user or pass – Steve Apr 27 '13 at 17:40
  • absolutely, using parameterized query is always recommended. – ajakblackgoat Apr 27 '13 at 17:48
  • ok so i did everything you guys comment me to do. but still going to the catch. so i put in messagesboxs with numbers so i could tell where the program is stopping. its stopping right before the "cmd2.executenonquery(). why whould it stop befor this – user2264202 Apr 27 '13 at 18:01
  • Please write the message given in the exception raised – Steve Apr 27 '13 at 18:06