0

So, the user inputs their email in case they forgot their password, the input is taken into a query where it selects the place where Email is equal to the email that is inputted by the user, but how do I also get the password value in column two to return to the user?

The code I'm using is this:

        Try
            If Not dbconn Is Nothing Then dbconn.Close()
            dbconn.ConnectionString = String.Format("server={0}; port=3306; user id={1}; password={2}; database={3}; pooling=true", server, userName, password, DatabaseName)

            dbconn.Open()

            query = String.Format("SELECT * FROM Testers WHERE Email='" + forgotEmail + "'")
            Try
               dbcomm = New MySqlCommand(query, dbconn)
               dbread = dbcomm.ExecuteReader()
               While dbread.Read()

               End While
               dbread.Close()

           Catch ex As Exception
               MsgBox(ex.ToString)
           End Try
        Catch ex As Exception
            MsgBox(ex.ToString)
        End Try

But what do I do after the query point?

Dominik H
  • 122
  • 7
  • Thank you for the downvote kind sir/madam, it really helps me figure out what I can do here. Now can someone PLEASE explain to me what is wrong with this question to deserve a downvote? Thought not, because this is a genuine question. – Dominik H Jan 03 '16 at 17:05
  • Passwords ought not be stored as plaintext ever, they should be hashed. Then since you cant send the hash, you would generate a random one to send to them, hash and save it. – Ňɏssa Pøngjǣrdenlarp Jan 03 '16 at 17:23
  • @Plutonix I see, where could I find out more about hashing? – Dominik H Jan 03 '16 at 17:24
  • [Is it safe to store passwords in my DB?](http://stackoverflow.com/q/31146658/1070452) – Ňɏssa Pøngjǣrdenlarp Jan 03 '16 at 17:26
  • 1
    You never ever send plain passwords to a user via email. Instead send a link where the user can reset the old and define a new one. – Alex B. Jan 03 '16 at 17:26
  • @AlexB. I could do that, though I don't have a website set up for resetting passwords. One thing I just want to put out there is that the passwords are randomly generated, like serial codes, users will not be able to change them. Upon "registration" the user will receive an email which includes their login credentials. – Dominik H Jan 03 '16 at 17:30
  • @Plutonix thanks, this is indeed very useful, I will look into that! – Dominik H Jan 03 '16 at 17:30
  • Oh boy none here talks about the elephant in the China shop? – Steve Jan 03 '16 at 17:32
  • @Danny_ds Oh nothing! haha – Dominik H Jan 03 '16 at 17:37
  • @Steve I thought plaintext PWs *were* the elephant - what else do you see? – Ňɏssa Pøngjǣrdenlarp Jan 03 '16 at 17:39
  • 1
    Ok from a user´s point of view I don´t like the fact that I can´t change my password and instead I have to use a random one. But this is another story and will go to wide ;) – Alex B. Jan 03 '16 at 17:42
  • @AlexB.I suppose you're right with that. But I don't think there is a need in allowing password changes for this purpose. – Dominik H Jan 03 '16 at 17:44
  • Blatant Sql Injection, I suppose that this is a lot more problematic than plain text passwords – Steve Jan 03 '16 at 17:44
  • @Steve what are you talking about? – Dominik H Jan 03 '16 at 17:44
  • 1
    I took `forgotEmail` to be a var read from the db elsewhere since ***I*** would only send a PW reset to the email addy of record, but yeah, maybe. @Steve – Ňɏssa Pøngjǣrdenlarp Jan 03 '16 at 17:46
  • 1
    http://xkcd.com/327/ – Steve Jan 03 '16 at 17:47
  • Can somebody please explain what's going on here???? – Dominik H Jan 03 '16 at 17:47
  • Sql Injection is a well known technique that allows an hacker to get the infos in your database or destroy it altogether. This 'technique' is possible when you concatenate string to build sql queries like you do in your code. If the hacker could INJECT a well crafted sql text in your string, you are doomed. See the link above – Steve Jan 03 '16 at 17:50
  • You want to use SQL parameters rather than concat bits of string to create a query. Its hard not to look at Q+As here that do not explain it. The model is conceptually flawed (on several levels) though if I can send you an email addy requesting the PW for any account. Thats what those security questions prevent – Ňɏssa Pøngjǣrdenlarp Jan 03 '16 at 17:50
  • So basically I should rather split the query into bits, or what? Could you please provide an example of what you mean? – Dominik H Jan 03 '16 at 17:52
  • 1
    The only antidote possible is called [Parameterized Query](http://blog.codinghorror.com/give-me-parameterized-sql-or-give-me-death/) or for a full blown explanation http://www.unixwiz.net/techtips/sql-injection.html – Steve Jan 03 '16 at 17:54
  • @Steve I see, thanks for this! – Dominik H Jan 03 '16 at 17:56

1 Answers1

4

Update: Since the provided example is about passwords, and great care should be taken concerning password security, I'll start this (accepted) answer with some important points to consider, also commented by other users:

Now for the queston:

Search for a value from column one, and return value from column two on the same row in VB.NET

Try this:

   String fieldval;

   While dbread.Read()

       fieldval = reader.GetString(reader.GetOrdinal("column2"))
       'Do something with fieldval

   End While

Of course, the while loop should only execute once in this case (i.e. there should only be one record containing that email address).

You can also reduce this:

query = String.Format("SELECT * FROM Testers WHERE Email='" + forgotEmail + "'")

to

query = String.Format("SELECT column2 FROM Testers WHERE Email='" + forgotEmail +"'")

where column2 is the name of that field.

Of course, when working with passwords, one should always be extremely careful. Also check out Plutonix' comment!

Community
  • 1
  • 1
Danny_ds
  • 11,201
  • 1
  • 24
  • 46
  • This is exactly what I'm looking for, thank you very much! Also, I appreciate the optimization! One question though, say the user enters an email that is not on the list, would 'while dbread.Read()' still be executed or would it be seen as a 'False'? – Dominik H Jan 03 '16 at 17:17
  • Glad it worked out. In case of invalid email address the query should return an empty recordset, and the While loop should not execute. But it's always best to do a small test - I'm not a VB programmer, so I can't say for 100% sure what the .Read() will return. – Danny_ds Jan 03 '16 at 17:22
  • Very well, that's fair enough, I'll get onto testing that now. Once again thanks! Have a good day sir! – Dominik H Jan 03 '16 at 17:23
  • You never ever send plain passwords to a user via email – Alex B. Jan 03 '16 at 17:25
  • @AlexB. - That's right of course! (updated my post right before your comment). But I was merely answering 'how to get a value from a field'. – Danny_ds Jan 03 '16 at 17:30
  • @DominikH - Also check out my update and Plutonix' and AlexB.'s comments regarding password security. – Danny_ds Jan 03 '16 at 17:32
  • Well, although I appreciate your will to help the PO, you should not post a quick and dirty answer which might solve the local problem but will raise or at least encourage major security risks. As a professional developer on SO it is your duty to inform the PO about those risks. – Alex B. Jan 03 '16 at 17:36
  • @AlexB. - I hear you Alex - that's what I did right before your first comment, and with an extra comment to the PO. I think he'll get it by now. Have a nice day. – Danny_ds Jan 03 '16 at 17:50