4

I have a simple C# windows form which acts as a login, but also has a form to change the password of a user.

When you click on Change Password the form loads with a text box of current password, new pass and confirm new pass, and one save button.

I have stored username in label so that current password can be checked if it is valid from database or not.

I am storing these in a table which I created in Microsoft SQL Server 2008.

The code is as follows so far.

SqlConnection connect = new SqlConnection(str); 
connect.Open(); 
string username = label_username.Text; 
string password = textBox_Current.Text; 
string newPassword = textBox_New.Text; 
string confirmPassword = textBox_Verify.Text; 
string sqlquery = "UPDATE [Member] SET Password=@newpass where Username=@username"; 
SqlCommand cmd = new SqlCommand(sqlquery, connect); 
cmd.Parameters.AddWithValue("@newpass", textBox_Verify.Text);   
cmd.Parameters.AddWithValue("@username", label_username.Text);   
cmd.Parameters.AddWithValue("@password", textBox_Current.Text); 
cmd.Connection = connect; 
cmd.ExecuteNonQuery(); 
sqlDataReader reader = null; 
reader = cmd.ExecuteReader(); 
while (reader.Read())
 { 
if ((textBox_New.Text == reader["newPassword"].ToString()) & (textBox_Verify.Text == (reader["confirmPassword"].ToString()))) { } 
}
 MessageBox.Show("Password Changed Successfully!"); 
this.Close();

While executing above code, password change but I want to:

  • check validation like if the user had typed wrong password in current password.
  • newpassword and confirm password .
  • when user click on first save bottom blank password should not store in database, rather should give message 'please type the password'

How can this be done?

Dulini Atapattu
  • 2,735
  • 8
  • 33
  • 47
rbn
  • 41
  • 1
  • 1
  • 2
  • 4
    Don't store passwords in plain text. Instead, use a secure hash. – SLaks Jun 29 '11 at 01:25
  • 3
    Surely you're hashing those passwords and you've just simplified it for our benefit, right? Right!? – Michael Haren Jun 29 '11 at 01:26
  • 3
    I would recommend just using Membership authentication, comes with an API and everything, there's no need reinventing the wheel – BrokenGlass Jun 29 '11 at 01:41
  • 1
    I'd highly suggest that your query NOT be based on the username itself but rather using some type of user id. Otherwise please make sure that a given username can only be used once... – NotMe Jun 29 '11 at 02:03

3 Answers3

3

You really should not be storing these passwords in plain text. You should hash the password and store the hash. Then if you want to check if a password is correct hash the password the user typed and compare it to the hash stored for the user.

But, it sounds like you need help getting a value out of the database for the current user. Putting something like this in there, ought to do this for you. Please note that like I said above, this should really be retrieving a hash of the password, not the actual password in plain text.

string sqlquery = "SELECT Password FROM [Member] where Username=@username";
SqlCommand cmd = new SqlCommand(sqlquery, connect);
cmd.Parameters.AddWithValue("@username", label_username.Text);
cmd.Connection = connect; 
string currentPassword = (string)cmd.ExecuteScalar();

if (currentPassword == textBox_Current.Text)
{
 // PASSWORD IS CORRECT, CHANGE IT, NOW.
} else {
 // WOW EASY BUDDY, NOT SO FAST
}
Rex Morgan
  • 2,979
  • 2
  • 21
  • 32
0
   protected void btn_PasswordChange(object sender, EventArgs e)
    {
        string constring = DataAccess.GetConnection();
        SqlConnection con = new `SqlConnection`(constring);

        {
            if (con.State != ConnectionState.Open)
                con.Open();
        }
        string str = "select * from tbl_MemberLogin where Password='" + txtoldpwd.Text + "'";
        DataTable DT = new DataTable();
        DT = objdut.GetDataTable(str);
        if (DT.Rows.Count == 0)
        {
            lblmsg.Text = "Invalid current password";
            lblmsg.ForeColor = System.Drawing.Color.Red;
        }
        else
        {
            SqlCommand cmd = new SqlCommand();
            cmd.CommandText = "update tbl_MemberLogin set Password='" + txtnewpwd.Text + "' where UserName='" + Session["UserName"].ToString() + "'";
            cmd.ExecuteNonQuery();
            lblmsg.Text = "Password changed successfully";
            lblmsg.ForeColor = System.Drawing.Color.Green;
        }
    }
Moses
  • 11
  • 4
  • Please add some context to your code. Code only answers don't explain what you did and therefore arn't useful as an answer. – creyD Feb 05 '18 at 10:16
0

First you should use password hashing in your application, thus the password fields of the database should hold the hashed values.

Assuming this, to accomplish your goals,

  1. consider your string username -> Hash it -> write a query to check whether that hashed value and the user's password's hash value stored in the database is the same
  2. consider string password and string newPassword in your code -> Hash both -> check whether the hash values are the same
  3. consider string password and string newPassword -> check whether each is null or the length is 0

Also you should perform these tasks in the following order:

1 -> 3 -> 2

Hope this helps...

Dulini Atapattu
  • 2,735
  • 8
  • 33
  • 47