Index was outside the bounds of array ?

Question

1.00/5 (1 vote)

See more:

Hello
i am getting this error in my project
index was outside the bounds of array
i have given index correctly but too the have same error coming all the time
please help me

here is the code

protected void btnsumit_Click(object sender, EventArgs e)
{

string Username = txtusername.Text;
string SecAns = txtans.Text;

SqlCommand cmd = new SqlCommand("select Password from Info where Username='" + Username + "' and SecAns='" + SecAns + "'", con);
con.Open();
SqlDataReader dr;
dr = cmd.ExecuteReader();//Here i get error
if (dr.HasRows)
{
while (dr.Read())
{
lbl.Text = dr[5].ToString(); // here i am getting error

}
}

con.Open();
cmd.ExecuteNonQuery();
con.Close();

}

What I have tried:

I have tried everything possible
but still getting the error...pls help ...its urgent

Posted 16-Mar-18 6:44am

Member 13730518

Updated 16-Mar-18 9:19am

Add a Solution

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Thomas Daniels · Answer 1 · 2018-03-16T06:48:00

Solution 1

dr[5] refers to the 6th element of the row which doesn't exist, based on the error. Use a debugger to step through the code and see what the contents of dr look like, what you were expecting them to be, and what could be causing the unexpected result.

(Also note that C# arrays use zero-based indices, which means that 0 refers to the first element so 5 refers to the 6th element.)

[Edit] Also see Richard's answer (Solution 2) for critical security concerns.

Posted 16-Mar-18 6:48am

Thomas Daniels

Updated 16-Mar-18 9:05am

v2

Comments

Member 13730518 16-Mar-18 12:54pm

I know that arrays index starts from 0
and the password index is 5 which is correct but still i am getting the error...

Thomas Daniels 16-Mar-18 12:56pm

It does not seem to be entirely correct, otherwise you wouldn't get the error. But I cannot access your computer or your database so I cannot exactly see what your data looks like and why you are getting the error. That's why you should use a debugger to see what goes wrong.

(As a side note, you may want to Google for "parameterized queries c#", because right now you use string concatenation for your SQL queries so you are vulerable to SQL Injection)

Member 13730518 16-Mar-18 13:01pm

i am trying to do simple forgot password page
do have any idea or code ???

Thomas Daniels 16-Mar-18 13:02pm

For the third time, use your debugger to see what goes wrong. I do not have access to your computer or database so I cannot give more advice.

Richard Deeming · Answer 2 · 2018-03-16T07:52:00

Start by fixing the SQL Injection[^] vulnerability in your code. With that in place, you might as well not have user accounts, because you're giving complete access to your entire database to any three-year-old who can press a button[^].

You also need to review how you're storing the data. Answers to security questions should be treated like passwords - you must NEVER store them in plain text:
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

As a corollary, you don't build a "forgot password" page; you build a "reset password" page. If the user can't remember their password, there's no need to tell them what it was; you just need to change it and tell them what the new password is.
Troy Hunt: Everything you ever wanted to know about building a secure password reset feature[^]

As to your error, you are selecting a single field. The returned record will contain a single field. If you try to access the sixth field of a single field record, you will obviously get an "index out of range" exception.

But seriously, don't just fix that index error and move on. You're building an application that's destined to be hacked, and you're going to end up having to pay huge amounts of compensation to your users when their passwords and personal information is stolen.

(And by the way, it's not "urgent" for anyone here. Adding "it's urgent" to your questions is just rude.)

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

Patrice T · Answer 3 · 2018-03-16T09:20:00

Quote:
i have given index correctly but too the have same error coming all the time

No, you think you have, but if you keep getting an error, it is not correct.
Note that you can't have same error message at 2 different places with different operations.
The only solution to see what is what is to use the debugger, it will allow you to inspect variables at point of error.
There is an almost universal solution: Run your code on debugger step by step, inspect variables.
The debugger is here to show you what your code is doing and your task is to compare with what it should do.
There is no magic in the debugger, it don't know what your is supposed to do, it don't find bugs, it just help you to by showing you what is going on. When the code don't do what is expected, you are close to a bug.
To see what your code is doing: Just set a breakpoint and see your code performing, the debugger allow you to execute lines 1 by 1 and to inspect variables as it execute.
Debugger - Wikipedia, the free encyclopedia[^]

Mastering Debugging in Visual Studio 2010 - A Beginner's Guide[^]
Basic Debugging with Visual Studio 2010 - YouTube[^]
Debugging C# Code in Visual Studio - YouTube[^]
The debugger is here to only show you what your code is doing and your task is to compare with what it should do.

-----

C#

SqlCommand cmd = new SqlCommand("select Password from Info where Username='" + Username + "' and SecAns='" + SecAns + "'", con);

Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]