Why My Change Password File Gives Error How I Can Some This Error

Question

0.00/5 (No votes)

See more:

this is my login windows form my login form works perfectly but in change password file m getting error please tell me error

login.vb file

VB

Imports System.Windows.Forms
Imports System.Data.SqlClient
Imports System.Data

Public Class frmlogin
    Dim con As New SqlConnection("Data Source=Tarun-PC;Initial Catalog=bdsdb;Integrated Security=True")
    Dim da As SqlDataAdapter
    Dim ds As DataSet
    Private Sub frmlogin_Load(sender As Object, e As EventArgs) Handles MyBase.Load
        txtusername.Focus()
    End Sub

    Private Sub Button1_Click(sender As Object, e As EventArgs) Handles btnclear.Click
        txtusername.Clear()
        txtPassword.Clear()
    End Sub

    Private Sub Button2_Click(sender As Object, e As EventArgs) Handles btnSubmit.Click
        Try
            da = New SqlDataAdapter("select Username ,Password from tblloggin where Username='" & txtusername.Text & "' and Password='" & txtPassword.Text & "'", con)
            ds = New DataSet()
            ' if da return more then 0 row there is a user then he can login 
            ' otherwise he cant becoz no user exist in databases
            da.Fill(ds, "tblloggin")
            'da.Fill(ds)
            If (ds.Tables("tblloggin").Rows.Count > 0) Then
                frmmain.Show()
                Me.Close()
                frmwelcome.Close()
                ' Me.Hide()
            Else
                MessageBox.Show("Incorrect Username and Password", "tblloggin")
            End If

        Catch ex As Exception
            MessageBox.Show("Invalid Operation can not be process")
        End Try
    End Sub

    Private Sub btnCancel_Click(sender As Object, e As EventArgs) Handles btnCancel.Click
        Me.Close()
    End Sub
End Class

changepasseword.vb file

VB

Imports System.Data
Imports System.Data.SqlClient

Public Class frmchangeprofile
    Dim con As SqlConnection

    Dim cmd As New SqlCommand

    Dim username As String
    Dim password As String
    Private Sub frmchangeprofile_Load(sender As Object, e As EventArgs) Handles MyBase.Load
        con = New SqlConnection("Data Source=Tarun-PC;Initial Catalog=bdsdb;Integrated Security=True")
        con.Open()
        username = frmlogin.txtusername.Text
        password = frmlogin.txtPassword.Text
        txtcpusername.Enabled = False
        txtcpusername.Text = username

    End Sub

    Private Sub btnChangeSubmit_Click(sender As Object, e As EventArgs) Handles btnChangeSubmit.Click
        Try
            If txtcpoldpassword.Text = "" And txtcpnewpassword.Text = "" And txtcpconfirmpassword.Text = "" Then
                MessageBox.Show("Any of the fields can not be left blank")
            ElseIf txtcpoldpassword.Text <> username Then
                MessageBox.Show("Invalid Old Passsword")

            ElseIf txtcpnewpassword.Text <> txtcpconfirmpassword.Text Then
                MessageBox.Show("New Password and Confirm Password does not match")
            Else
                cmd = New SqlCommand()
                cmd.CommandText = "update tbllogin set Password ='" & txtcpnewpassword.Text & "' where Username= '" & username & "'"
                cmd.Connection = con
                cmd.ExecuteNonQuery()
                MsgBox("Password Change successfully")
            End If
        Catch ex As Exception
            MessageBox.Show("Performed Action Cannot be processed")
        End Try

    End Sub

    Private Sub btnClear_Click(sender As Object, e As EventArgs) Handles btnClear.Click
        txtcpoldpassword.Clear()
        txtcpnewpassword.Clear()
        txtcpconfirmpassword.Clear()
    End Sub

    Private Sub btnClose_Click(sender As Object, e As EventArgs) Handles btnClose.Click
        Me.Close()
    End Sub
End Class

Posted 24-Feb-14 21:09pm

Tarun Jaiswal

Updated 24-Feb-14 21:15pm

Abhishek Pant

v2

Add a Solution

Comments

[no name] 25-Feb-14 3:26am

What is the error..??

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2014-02-24T21:35:00

There are so many, many things here that I hardly know where to start...
Let's start with the really dangerous one, shall we?

Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead. Particularly with your login code which not only lets me destroy your database, but allows me to log in as anyone at all without a password, simply by adding four characters to the end of the username when I enter it:

';--

Second, let's cover the way you store passwords: Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^] - it's in C#, but it's pretty obvious code.

Finally, why doesn't your code work? If it was relevant - which it isn't, because it all needs ripping out and throwing away to fix the other two points - do you really think my old password is always going to be the same as my username?

VB

ElseIf txtcpoldpassword.Text <> username Then
    MessageBox.Show("Invalid Old Passsword")