Change password not working

Question

I have a web page where the user enters their current Username and Password. If they match a user in the database then the password is changed to the new password.

If there is no error and the password is changed the user is redirected to the initial login page. If there is an error then an error message will appear.

However at the moment the password is not changed and when there is supposed to be an error, i.e. when the the password was not changed, it just redirects the user anyway to the login page.

My code:

public static MySqlConnection CreateConnection()
    {

        String connectionString = "SERVER=127.0.0.1; DATABASE='dbnumericalmethods'; UID='root'; PASSWORD=''";
        MySqlConnection SqlConnection = new MySqlConnection(connectionString);
        return SqlConnection;
    }

    protected void btnChange_Click(object sender, EventArgs e)
    {
        MySqlConnection SqlConnection = CreateConnection();
        string OldPassword;
        string NewPassword;
        string Username;
        string ConfirmPassword;
        Username = txtUsername2.Text;  
        OldPassword = txtOldPassword.Text;
        NewPassword = txtNewPassword.Text;
        ConfirmPassword = txtConfirmPassword.Text;
        string SqlString = "update tblLogin set Identification='" + NewPassword + "' WHERE [Identification]='" + OldPassword + "' AND Username='" + Username + "'";
        SqlConnection.Open();
        MySqlCommand cmd = new MySqlCommand(SqlString, SqlConnection);
        SqlConnection.Close();

        if (OldPassword != "" && NewPassword != "" && ConfirmPassword != "") 
        {
            Response.Redirect("Login.aspx");
        }
        else
        {
            lblErrorMessage2.Text = ("Username ");
        }

    }

As a side note your code is open to SQL Injection. See http://bobby-tables.com/ for some advice on it - but in short never accept a user supplied string into a sql statement - use paramaterized queries/ prepared statements instead. — Robert H, Mar 26 '14 at 20:35
Don't you need to add checks to make sure NewPassword and ConfirmPassword match? Also, your code is subject to SQL injection, it'd be much better to use a stored procedure instead. — dcp, Mar 26 '14 at 20:36
You are not executing the SQL command. You should add cmd.ExecuteNonQuery(); — Rutix, Mar 26 '14 at 20:36
You might want to use `string.isNullOrWhitespace(OldPassword)` etc on that if statement. — Nathan, Mar 26 '14 at 20:36
@Rutix when I add that I get the following error: check the manual that corresponds to your MySQL server version for the right syntax to use near '[Identification]='sugg' AND Username='callum'' at line 1 — user2852418, Mar 26 '14 at 20:44
@user2852418 - you could start with reading some of the mysql docs on stored procedures: http://dev.mysql.com/doc/connector-net/en/connector-net-tutorials-stored-procedures.html Here is an example: http://stackoverflow.com/questions/3228411/how-to-call-a-mysql-stored-function-in-c — dcp, Mar 26 '14 at 21:28

score 5 · Accepted Answer · answered Mar 26 '14 at 20:35

5

You are not even executing the command, you are just opening the connection, creating a MySqlCommand then immediately close the connection:

 MySqlCommand cmd = new MySqlCommand(SqlString, SqlConnection);
 int result = cmd.ExecuteNonQuery();
 SqlConnection.Close();

BTW, you should use parameterized queries to avoid SQL Injection.

answered Mar 26 '14 at 20:35

Selman Genç

100,147
13
119
184

I get the following error message when I make your change: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '[Identification]='sugg' AND Username='callum'' at line 1 – user2852418 Mar 26 '14 at 20:40
1

@user2852418 remove the square brackets from `Identification`, it's not a reserved keyword, as far as I know...see [documentation](https://dev.mysql.com/doc/refman/5.5/en/reserved-words.html) and you need to use **`** to escape reserved keywords in MYSQL.See this question: http://stackoverflow.com/questions/15725233/using-reserved-words-in-column-names – Selman Genç Mar 26 '14 at 20:43
Thank you, it now changes the password, however I still get no error message thrown when the incorrect password is entered? – user2852418 Mar 26 '14 at 20:47
1

@user2852418 check whether the `result` is greater than zero or not. `ExecuteNonQuery` returns the number of rows affected. – Selman Genç Mar 26 '14 at 20:49
using a simple **if** statement ? – Selman Genç Mar 26 '14 at 21:00
Sorry was being stupid, was putting ExecuteNonQuery in the my IF instead of result. Thank you for your help! – user2852418 Mar 26 '14 at 21:04

Change password not working

1 Answers1