0

I currently have a form where you can enter a username and password and it creates a record of it in access. From there, whenever it asks for a username and password, you enter yours and it checks to see if it is correct. I have all of this working correctly but now I have a separate form where you can change you password but I don't know how I would do that. Here is what I have so far:

Dim con As OleDbConnection = New OleDbConnection()
Dim cmd As OleDbCommand
Dim sql = "SELECT UN, PW FROM Users WHERE UN='" & cmbUser.Text & "' AND PW='" & txtOldPass.Text & "'"
cmd = New OleDbCommand(sql, con)
con.ConnectionString = ("Provider=Microsoft.Jet.OLEDB.4.0;Data Source=../Database.mdb")
con.Open()
Dim dr As OleDbDataReader = cmd.ExecuteReader

Try
   If dr.Read = False Then
      MsgBox("Password is incorrect!")
      txtOldPass.Text = ""
      txtNewPass.Text = ""
      txtNewPassConf.Text = ""
   ElseIf txtNewPass.Text <> txtNewPassConf.Text Then
      MsgBox("Passwords do not match!")
      txtOldPass.Text = ""
      txtNewPass.Text = ""
      txtNewPassConf.Text = ""
   Else
      'This is where the change password code goes
      MsgBox("You password has been changed!")
      cmbUser.SelectedIndex = -1
      txtOldPass.Text = ""
      txtNewPass.Text = ""
      txtNewPassConf.Text = ""
   End If
Catch ex As Exception
   MsgBox(ex.Message)
End Try
con.Close()

As you can see, everything seems to be working just fine. Just need code to change the value of the PW cell. I think I could use the sql string but I am not sure exactly how. Thanks in advance!

Alexiz Hernandez
  • 609
  • 2
  • 9
  • 31

1 Answers1

0

You could use this code.

Notice that the values passed to the database should be transmitted through parameters (And this is true also for your initial SELECT) not concatenating strings together to form the command text. (Sql Injection, Parsing problems, Clearer command text)

   .....
   Else
      'This is where the change password code goes
      Dim cmdText = "UPDATE Users SET PW = @pwd " & _
                    "WHERE UN = @uname AND PW = @oldpwd"
      dr.Close()
      OleDbCommand cmdUpdate = new OleDbCommand(cmdText, con)
      cmdUpdate.Parameters.AddWithValue("@pwd",txtNewPass.Text) 
      cmdUpdate.Parameters.AddWithValue("@uname",cmbUser.Text) 
      cmdUpdate.Parameters.AddWithValue("@pwd",txtOldPass.Text) 
      cmdUpdate.ExecuteNonQuery()
      MsgBox("You password has been changed!")
      cmbUser.SelectedIndex = -1
      txtOldPass.Text = ""
      txtNewPass.Text = ""
      txtNewPassConf.Text = ""
   End If

Said that remember that storing passwords in clear text is a big hole in your security. Anyone that can grab the Access file can read the passwords of your users. The best approach to store passwords in a database is through a one way cryptography method. (Hashing and Salt)

You could find more info in this question

Community
  • 1
  • 1
Steve
  • 213,761
  • 22
  • 232
  • 286
  • I understand that this is not very secure but this project is only for work for inputting tickets into a database. But thank you very much for the link! It will definitely help me for future projects! :) – Alexiz Hernandez Feb 11 '15 at 17:10