1

i am using a asp.net framework for sending a forget password through E-Mail. but i think there's some problem in my code. please help . The button_click event code is give below.

        protected void frgtbtn_Click(object sender, EventArgs e)
          {
             string st = "select E_mail FROM registraion_master WHERE E_mail='" +     Email.Text + "'";

           cmd = new SqlCommand(st, sqlcon);
           cmd.Connection.Open();
           SqlDataAdapter sda = new SqlDataAdapter(cmd);
           DataSet ds=new DataSet();
           sda.Fill(ds);
           cmd.Connection.Close();
           if(ds.Tables[0].Rows.Count > 0)
              {
                 MailMessage email = new MailMessage();
                 email.From = new MailAddress(Email.Text); //Enter sender email address.
                 email.To.Add(Email.Text); //Destination Recipient e-mail address.
                 email.Subject = "Your Forget Password:"; //Subject for your request.
                 email.Body = "Hi,Your Password is: " + ds.Tables[0].Rows[0]["Pwd"] + "";

                 email.IsBodyHtml = true;
                 //SMTP SERVER DETAILS
                 SmtpClient smtpc = new SmtpClient("smtp.gmail.com");
                 smtpc.Port = 587;
                 smtpc.UseDefaultCredentials = false;
                 smtpc.EnableSsl = true;
                 gmail_ID.Text = "anuragdixit132@gmail.com";//Enter your gmail id here
                 gmail_pwd.Text="vineet";//Enter your gmail id here
                 smtpc.Credentials = new   NetworkCredential(gmail_ID.Text,gmail_pwd.Text);
                 smtpc.Send(email);
                 string script = @"<script language=""javascript""> alert('Password Has Been Sent.......!!!!!.');
                 </script>;";
                 Page.ClientScript.RegisterStartupScript(this.GetType(), "myJScript1", script);
                }
              else
                {
                pwdlbl.Text = "This email address is not exist in our Database try again";
                }

in this code : there is an exception occour:Column 'Pwd' does not belong to table Table.

Anurag Dixit
  • 27
  • 1
  • 1
  • 11
  • 5
    I suspect you storing your passwords as a plain text. **Don't do that!** Please read: [Implement password recovery best practice](http://stackoverflow.com/questions/2734367/implement-password-recovery-best-practice) You should always use [parameterized queries](http://blog.codinghorror.com/give-me-parameterized-sql-or-give-me-death/). This kind of string concatenations are open for [SQL Injection](http://en.wikipedia.org/wiki/SQL_injection) attacks. – Soner Gönül Sep 01 '14 at 11:42
  • 1
    Is that not fairly obvious that **Column 'Pwd' is not in the table**, also as @SonerGönül said, **Don't store passwords like that** – James Sep 01 '14 at 11:42
  • 4
    oh and the reason 'Pwd' isn't in the table is likely because you only get the column `E_mail` in your select statement, and then don't use it, as well as using a non-parameterised query with text entry in the select clause... – James Sep 01 '14 at 11:46
  • 4
    In addition to not storing passwords as plain text, you should also use [parameterized queries](http://blog.codinghorror.com/give-me-parameterized-sql-or-give-me-death/) instead of using string concatenation to build your sql string (`WHERE E_mail='" + Email.Text + "'`) – GarethD Sep 01 '14 at 11:48
  • The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.5.1 Authentication Required. This Error occures... @JamesBarrass this is my own project actually. – Anurag Dixit Sep 01 '14 at 11:52
  • 1
    @AnuragDixit Where it states **Column 'Pwd' does not belong to table Table** it means in the data set which is the result of your select statement `SELECT E_mail FROM`. You only select E_mail so only E_mail exists in the result set. It doesn't matter too much if it's your own project but I would still recommend good practices. – James Sep 01 '14 at 11:58
  • [See this answer](http://stackoverflow.com/a/9572958/1048425) for more information on the authentication error. – GarethD Sep 01 '14 at 12:05

1 Answers1

2

The shortest way to reproduce your problem:

   string st = "select E_mail FROM registraion_master WHERE E_mail='" +     Email.Text + "'";
   cmd = new SqlCommand(st, sqlcon);
   cmd.Connection.Open();
   SqlDataAdapter sda = new SqlDataAdapter(cmd);
   DataSet ds=new DataSet();
   sda.Fill(ds);
   cmd.Connection.Close();
   ds.Tables[0].Rows[0]["Pwd"];

It is clear that you are quering the db only for E_mail and not Pwd. If the Pwd is part of the registraion_master table than the solution can be:

  string st = "select E_mail,Pwd FROM registraion_master WHERE E_mail='" +     Email.Text + "'";

However I hope the pwd is not saved in plaintext. And start using parameterized queries, your query is subject to sql injection. And I guess that you also have cross site scripting problems when displaying user input on your screens, you have that cross site scripting when you are sending the password to a user...

Peter
  • 27,590
  • 8
  • 64
  • 84
  • 2
    I hope I'm not an user on your site... Fix your sql injection and cross site scripting. Best is to send a new password to your users when they have lost the old one. – Peter Sep 01 '14 at 12:39