Home/ Questions/Q 1021459
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T11:18:50+00:00

I am trying to change the user password. I am not able to update

  • 0

I am trying to change the user password. I am not able to update the password :(. The message i am getting is password changed where as its not getting changed. .
My code is as follow.. Please if anyone can suggest where i am going wrong . I am just a beginner …

protected void Button1_Click(object sender, EventArgs e)
{
    DatabaseLayer data = new DatabaseLayer();

    string username = Session["Authenticate"].ToString();
    string password = TextBox1.Text;
    string newpass = TextBox2.Text;
    string confirm = TextBox3.Text;
    string flag = "";

    if (newpass.ToString() == confirm.ToString())
    {
        flag = data.passwordChange(username, password, newpass);
        Literal1.Text = flag.ToString();
    }
    else
    {
        Literal1.Text = "New Password does not match the Confirm Password ";
    }
}

The above click event must change my password, and the function passwordChange is as follows..

public string passwordChange(string username, string password, string newPasswd)
{
    string SQLQuery = "SELECT password FROM LoginAccount WHERE username = '" + username + "'";
    string SQLQuery1 = "UPDATE LoginAccount SET password = ' " + newPasswd + " ' WHERE username = ' " + username + "'";
    SqlCommand command = new SqlCommand(SQLQuery, sqlConnection);
    SqlCommand command1 = new SqlCommand(SQLQuery1, sqlConnection);

    sqlConnection.Open();
    string sqlPassword = "";
    SqlDataReader reader;

    try
    {
        reader = command.ExecuteReader();


        if (reader.Read())
        {
            if (!reader.IsDBNull(0))
            {
                sqlPassword = reader["password"].ToString();
            }
        }
        reader.Close();

        if (sqlPassword.ToString() == password.ToString())
        {
            try
            {
                int flag = 0;
                flag = command1.ExecuteNonQuery();

                if (flag > 0)
                {
                    sqlConnection.Close();
                    return "Password Changed Successfully";
                }
                else
                {
                    sqlConnection.Close();
                    return "User Password could not be changed";
                }
            }
            catch (Exception exr)
            {
                sqlConnection.Close();
                return "Password Could Not Be Changed Please Try Again";
            }
        }
        else
        {
            sqlConnection.Close();
            return "User Password does not Match";
        }
    }
    catch (Exception exr)
    {
        sqlConnection.Close();
        return "User's Password already exists";
    }
}

I had put a break point near 

if(flag>0)

it still shows that executeNonquery aint returning the updated rows value and also in the Back end of SQL server, its not changing,
Please if anyone could correct me… Should i use other execute command or something?
I am doing this with VS 2008 and SQL server 2005..

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    1: It’s your spacing between your single and double quotes: (Like: ' " + username + " ')
    2) You are begging for SQL Injection.

    Try this in your PasswordChange method:

    public string PasswordChange(string userName, string oldPass, string newPass)
{
    using(SqlConnection sqlConnection = new SqlConnection(
        ConfigurationManager.ConnectionStrings["LoginDb"].ConnectionString))
   {
    string sqlToConfirmOldPass =
      "SELECT password FROM LoginAccount WHERE username = @userName";
    string sqlToUpdatePassword =
      "UPDATE LoginAccount SET password = @newPass WHERE username = @userName";

    SqlCommand confirmOldPass = new SqlCommand(sqlToConfirmOldPass, sqlConnection);
    confirmOldPass.Parameters.AddWithValue("@userName", userName);

    SqlCommand updatePassword = new SqlCommand(sqlToUpdatePassword, sqlConnection);
    updatePassword.Parameters.AddWithValue("@newPass", newPass);
    updatePassword.Parameters.AddWithValue("@userName", userName);

    [Rest of your code goes here]
   }
}

    I also didn’t see where you set your SqlConnection, so I’ve added a line for that. You’ll need to modify it according to your needs.

    • 0