Why isn't the password change reflected unless the application is restarted?

Question

I have two forms; one for login and another for changing the password.I am using a Microsoft Access database as back-end. I have made the login form using query builder.

The password gets changed, but when I try logging in with the new password it rejects the password. If I close the application and re-open it, the new password works. I want it to get updated right away so that I can use the updated password without having to close the application.

This is the code for changing the password:

    Dim conn As New OleDb.OleDbConnection
    conn.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=G:\Bus ticketing-5th sem\WindowsApplication3\bus.mdb"
    Try
        Dim cmd As New OleDbCommand("select [PASSWORD] from login where USERNAME=? ", conn)
        If conn.State = ConnectionState.Open Then conn.Close()
        conn.Open()
        Dim i As Integer
        i = MsgBox("Are You Sure Update Selected Record ?", MsgBoxStyle.OkCancel)
        If (txtnpass.Text <> txtconpass.Text) Then
            MsgBox("Password mismatching")
        Else
            cmd.CommandText = "UPDATE login SET [PASSWORD]='" & txtnpass.Text & "' WHERE [USERNAME]='" & txtusername.Text & "'"
            cmd.ExecuteNonQuery()
            ''Call busDataSet()
            Call Reset()
            MsgBox("Record Updated Successfully", MsgBoxStyle.Information)
        End If
    Catch ex As Exception
        MsgBox(ex.Message)
    End Try
End Sub

This is the code for the login form using query builder:

    Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        Dim login1 = LoginTableAdapter.UserPasswordString(USERNAMETextBox.Text, PASSWORDTextBox.Text)
        If login1 Is Nothing Then
            MessageBox.Show(" CHECK USERNAME OR PASSWORD ", "Authentication Error", MessageBoxButtons.OK, MessageBoxIcon.Error)
        Else
            MsgBox(" WELCOME ADMIN! ", MsgBoxStyle.Information, " SUCCESSFULLY LOGGED IN ")
            Form9.Show()
            Me.Hide()
        End If
    End Sub

Answer 1

The problem here is that you do not reset the form, meaning that the PASSWORDTextBox & USERNAMETextBox (horrible variable naming scheme, by the way!) are the same & as a result, the LoginTableAdapter.UserPasswordString includes the same variables as before (i.e, the password that was used before it was reset).

To fix this, you need to refresh the login form using [formName].Refresh() in order to clear any 'cached' data such as login details stored in the form. If you aren't already, you should also be clearing the username & password fields when the login form is loaded or unhidden (aka, the OnLoad & Close events).

Another issue is that you are not protecting your passwords and they are sent + stored in the database in plaintext. Now, two problems with this approach:

• An attacker with access to the database can log-in as any user as they can see the passwords
• Other users could potentially exploit this

You need to hash your passwords with an algorithm (I recommend SHA, MD5 can be used but is not recommended). You should also be sanitizing the inputs that are sent to the database, as an attacker could easily destroy any data held in the database using an innocent TextBox. This is called 'SQL injection' and can be extremely nasty.

The way a hash works is that you store a hashed version of the password in the database, and then your program creates a hash of the password in the password TextBox, & compares it to the one held in the database. If the hashes match, the passwords match. Hashing is only one-way; they cannot be decrypted.

Not protecting passwords with hashes could potentially break data protection law, so be very careful if you end up going down the dangerous route of not hashing passwords.