Update Password from Sql server Database in C#

Question

I'm Having issues updating password for users in my assignment. As it requires to have 3 textbox one for the current password, and the to others are one for new password and one to confirm the new password. I try different methods but it is not updating. the user can log in successfully but i cant update the password. this is my code for login part:

public static string settext = "";
    public Admin_Login_Form()
    {
        InitializeComponent();
    }

    private void button1_Click(object sender, EventArgs e)
    {
        SqlConnection con = new SqlConnection("Data Source=DESKTOP-CJGIQ74;Initial Catalog=logininfo;Integrated Security=True");
        con.Open();
        string newcom = "select Name from login where Name='" + textBox1.Text + "' AND password= '" + textBox2.Text + "'";
        SqlDataAdapter adp = new SqlDataAdapter(newcom,con);
        DataSet ds = new DataSet();
        adp.Fill(ds);
        DataTable dt = ds.Tables[0];
        if (dt.Rows.Count>=1)
        {
            settext = textBox1.Text;
            Admin_Main_Page Main = new Admin_Main_Page();
            Main.Show();
            this.Hide();

        }
        else
        {
            label5.Text = "Invalid Data";
        }


    }

And this is my registration part:

        private void SignUpAdmin_But_Click(object sender, EventArgs e)
    {
        SqlConnection con = new SqlConnection("Data Source=DESKTOP-CJGIQ74;Initial Catalog=logininfo;Integrated Security=True");
        con.Open();
        string newcom = "insert into login(Name,password,email,address,contact,creditcard) VALUES ('"+NameTxtb_Admin.Text+"','"+PasswordTxtb_Admin.Text + "','" + EmailTxtb_Admin.Text + "','" + AddressTxtb_Admin.Text + "','" + ContactTxtb_Admin.Text + "','" + CreditCardTxtb_Admin.Text + "')";
        SqlCommand cmd = new SqlCommand(newcom , con);
        cmd.ExecuteNonQuery();
        MessageBox.Show("Congratulations… You've been registered!");
        this.Close();
    }

Note: i know i didn't use parameters i just noticed, by browsing this site.

Anyone guys have an idea what is the code for this issue?

What does "cant update the password" mean? Do you get an error? — Tab Alleman, Jul 25 '18 at 14:34
Hi, Don't hand craft query like this. You are vulnerable to SQL Injection. Please use an ORM or Parametrise query. https://stackoverflow.com/questions/14376473/what-are-good-ways-to-prevent-sql-injection — Drag and Drop, Jul 25 '18 at 14:35
Imagine what would happen if the user entered`' OR 1=1; --` as a password. Or `'; DROP TABLE USERS;--`. Don't reinvent the wheel. ASP.NET already implements proper authentication (with a salted, 1024-iteration SHA2 hashing). You can use those authentication services from desktop applications too. There are a *lot* of tutorials that show how to make ADO.NET calls properly without risking SQL injection attacks. — Panagiotis Kanavos, Jul 25 '18 at 14:35
And passwords should NEVER be stored in clear text. They should be salted and hashed. — Sean Lange, Jul 25 '18 at 14:36
You *don't* need to fill a datatable if you only want to retrieve a name. Use ExecuteScalar instead. I suspect this code was copy-pasted from various SO questions ? — Panagiotis Kanavos, Jul 25 '18 at 14:37
From Aldert: `Seems you are only selecting/inserting data, I do not see any update sql?` — Panagiotis Kanavos, Jul 25 '18 at 14:37
And please take a minute read about ORM, and Crypt the password and the CreditCard. — Drag and Drop, Jul 25 '18 at 14:41
OUCH...I didn't even see the credit card issue. That is just awful and is illegal in several states to store credit card data like that. And the table structure is pretty bad there also, you have limited a user to only having a single card on file. But unless you are going to follow through with full PCI compliance you should immediately stop storing credit card information. — Sean Lange, Jul 25 '18 at 14:44
This is just an assignment for my module Introduction to Object oriented Programming in C# the assignment is about making Online Shopping Store. I did not write the code for updating password and i do not know how to write that is why i asked here. sorry if it wasn't clear — Sayed Ali Alwedaei, Jul 25 '18 at 15:11
I commented about things like SQL injection attacks and SqlConnection and SqlDataAdapter being disposable in [your last question](https://stackoverflow.com/questions/51394036/login-error-based-on-sql-server); and that still applies, and will continue to apply to everything you ever do in the future. SqlCommand is also disposable. — Richardissimo, Jul 28 '18 at 06:48

score 1 · Answer 1 · answered Jul 25 '18 at 14:39

1

looks like you need an update statement if you want to update users' passwords, like:

update login set
    Password = 'NewPassword'
where
    name = 'usernameifunique' and
    Password = 'theoldpassword';

Also, you can at least use parameterized queries to avoid injections, if this is just homework I guess you're fine. You can check out my datalayer at github, it has helped countless of times with SQL.

answered Jul 25 '18 at 14:39

Alex

2,247
1
27
37

Thanks for answering, so in where should i put this code exactly and can u plz explain a little more i'm new in c# and sql server world. – Sayed Ali Alwedaei Jul 25 '18 at 15:13

Update Password from Sql server Database in C#

1 Answers1