0

I am creating a windows login form with an option in case you forget your password, in which you will click a button to direct you to another from where you can answer security questions and stuff to confirm your identity before the password is retrieved from the datatable and displayed in a MessageBox. My code is already able to verify the identity but how do I obtain the value of the password from the same row that the Username is entered in?

I have absolutely no programming background and or knowledge and would greatly appreciate if you can help with examples or codes thanks :)

private void button1_Click(object sender, EventArgs e)
{
    SqlConnection con = new SqlConnection(@"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\Daniel Koh\Documents\AccountData.mdf;Integrated Security=True;Connect Timeout=30");

    SqlDataAdapter sda = new SqlDataAdapter("Select Count(*) From [Table] where Username='" + textBox1.Text + "' and EmployeeId ='" + textBox2.Text + "' and SecurityQuestionAnswer='" + textBox3.Text + "' and SecurityQuestionType='" + comboBox1.SelectedItem.ToString() + "'", con);

    DataTable dt = new DataTable();
    sda.Fill(dt);

    SqlConnection.ClearAllPools();

    if ((dt.Rows[0][0].ToString() == "1"))
    {
        string username = textBox1.Text;

        string password = (from DataRow dr in dt.Rows
                           where (string)dr["username"] == username
                           select (string)dr["Password"]).FirstOrDefault();
        MessageBox.Show(password);
    }
    else
    {
        MessageBox.Show("Please check your Username, Security Question Answer and EmployeeID");
    }
}
Joshua
  • 40,822
  • 8
  • 72
  • 132
Danny AngelWings
  • 9
  • 2
  • 1
    Please [read this](https://stackoverflow.com/questions/5468425/how-do-parameterized-queries-help-against-sql-injection) in order to prevent SQL injection. – ProgrammingLlama Oct 19 '17 at 02:20
  • Also you should not be storing your password in such a way that it can be retrieved and shown to a user, this is because this would allow a hacker to also be able to retrieve the passwords. You should always use a one-way hash with appropriate seeds to store your passwords. Best practice is to send a link to the users registered email that allows them to set a new password. – Dijkgraaf Oct 19 '17 at 02:38
  • You are getting the number of rows with this: `Select Count(*)` so it will return a number. Change it to: `Select username, password...`. And like others have said its very easy to hack and get into your apllication if you write code like that. Please see [this](https://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work) – CodingYoshi Oct 19 '17 at 03:08
  • 1
    Try this for the username: `' or 1=1--` and see what happens. Put any password. – CodingYoshi Oct 19 '17 at 03:19
  • 1
    "I have absolutely no programming background and or knowledge" Well then, what do you expect us to do? There are many problems in the code you currently have, Starting with the fact that you are concatenating strings to create sql statements instead of using parameters, through saving passwords as plain text in the database (The fact that you **can** retrieve the password from the database means you are doing it **wrong**), the fact that you fill a dataset and then query it using linq when all you really need is `ExecuteScalar`, and probably many more. – Zohar Peled Oct 19 '17 at 04:53

0 Answers0