0

I'm trying to allow a user to reset/update password in the event that they have forgotten it matching the username and their full in order reset the password. However; I keep getting the error message,Username and name is not matching even they match.

 string strConnString = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
string str = null;
SqlCommand com;
byte up;
protected void btn_update_Click(object sender, EventArgs e)
{
    SqlConnection con = new SqlConnection(strConnString);
    con.Open();
    try
    {
        string un, pw;
        un = txtUsername.Text;

        pw = Encrypt(txt_npassword.Text, "mykey");
        SqlCommand command = new SqlCommand("PP_spReset", con);

        command.CommandType = CommandType.StoredProcedure;
        command.Parameters.Add("@UserName", SqlDbType.VarChar).Value = un;

        command.Parameters.Add("@password", SqlDbType.VarChar).Value = pw;

        con.Open();


        int rowupdated = command.ExecuteNonQuery();
        if (rowupdated > 0)
        {
            Response.Redirect(@"~/Account/Login.aspx"); ;
        }
        else
        {
            lbl_msg.Text = "Username does not exist";
        }

    }
     catch (Exception ex)
    {
        throw ex;
    }

}

public string Encrypt(string source, string key)
{
    TripleDESCryptoServiceProvider desCryptoProvider = new TripleDESCryptoServiceProvider();
    MD5CryptoServiceProvider hashMD5Provider = new MD5CryptoServiceProvider();

    byte[] byteHash;
    byte[] byteBuff;

    byteHash = hashMD5Provider.ComputeHash(Encoding.UTF8.GetBytes(key));
    desCryptoProvider.Key = byteHash;
    desCryptoProvider.Mode = CipherMode.ECB; //CBC, CFB
    byteBuff = Encoding.UTF8.GetBytes(source);

    string encoded =
        Convert.ToBase64String(desCryptoProvider.CreateEncryptor().TransformFinalBlock(byteBuff, 0, byteBuff.Length));
    return encoded;
}
Sue
  • 47
  • 8
  • You are getting the error message from catch block, so something is breaking in try block. Can you debug and see which line is throwing exception? – Vinit Aug 27 '18 at 22:08
  • Your code suffers multiple issues like vulnerability to sql injection. Can you provide the exception details from your `catch` – Xaqron Aug 27 '18 at 22:08
  • You are catching any type of error, SQL error, connection error etc and you make the decision that *Username and name is not matching*. Why? – CodingYoshi Aug 27 '18 at 22:11
  • @Vinit I've updated my solution; but it still seem to be giving the same error message but if I use sql query in code it works – Sue Aug 28 '18 at 00:13

1 Answers1

0

Your 1st issue is your error handling, there's no way to know what the error is because you are masking it.

You have a few options, but you need to define the error (I defined it as e):

Option 1 - Write it out to your message (should not do this in production because it would provide the client (a potential hacker) too much information about your infrastructure, but its a start).

Option 2 - Throw the exception, let IIS decide what to do. In DEV mode, set customErrors attribute in your config file:

<customErrors mode="RemoteOnly"></customErrors>

Option 3 - Give a friendly message, but log the information either to the server (file) or the database. That code however is going to differ based on how you implement it.

Either way, you NEED to know what the error is, otherwise you cannot fix it. For simplicity, I have a code update pertaining to # 2, but in production you should really be using # 3 eventually.

catch (Exception e)
{
    throw e;
}

Besides that, you have a SQL injection issue that needs to be corrected by using SQL parameters. Here are some posts on the subject:

  1. What is SQL injection?
  2. What are good ways to prevent SQL injection?
Ctznkane525
  • 7,297
  • 3
  • 16
  • 40