Member Avatar for bigzos

I have a login form coded as :

Imports System.Data.OleDb
Public Class Form2
    Dim ctr As Integer
Private Sub Ok_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        Dim con As New OleDbConnection("Provider=Microsoft.jet.oledb.4.0;data source=C:/Users/Space Era/Documents/User.mdb")
        Dim cmd As OleDbCommand = New OleDbCommand("SELECT * FROM Users WHERE userid = '" & TextBox2.Text & "' AND password = '" & TextBox1.Text & "' ", con)
        con.Open()
        Try
            Dim sdr As OleDbDataReader = cmd.ExecuteReader()
            ' If the record can be queried, Pass verification and open another form.  
            If (sdr.Read() = True) Then

                Form7.Show()
                Me.Hide()
            Else


                MessageBox.Show("Invalid username or password!")
            End If
        Catch ex As Exception

            MsgBox(ex.Message, MsgBoxStyle.Critical, "Oledb Error")

        End Try


    End Sub
    ' Cancel button  
    Private Sub Cancel_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Cancel.Click
        Me.Close()



    End Sub

I wish to create a form for changing the password ,i.e., stored in the access database...any relevant replies would be appreciated..

Edited by Nick Evan because: Fixed CODE-tags .... again....
  • 6 Contributors
  • 14 Replies
  • 3K Views
  • 5 Days Discussion Span
  • Latest Post Latest Post by bigzos
Member Avatar for debasisdas

You need to run one Update query after successful login.

Member Avatar for adam_k

1st of all your login form is weak. It can be bypassed in half a second. Try retrieving a count and verify that the count returned is equal to 1. This way even if the query is bypassed, you won't give access further down.

as for changing password, copy your form into a new one, add 2 textboxes for new password and confirm new password, verify that the new passwords match and change your query to

"(update Users SET password = '" & TextBox2.text & "' WHERE userid = '" & TextBox2.Text & "' AND password = '" & TextBox1.Text & "' ", con)

Execute it using cmd.ExecuteNonQuery

You can check back that the password has changed by using the select statement that you are using in the above form and msgbox the user that the password has changed.

Edited by adam_k because: n/a
Member Avatar for rosstafarian

You say its weak - how would you get around that?

Member Avatar for adam_k

by getting a condition that will always result in true as part of the where.
Giving something like this in a forum is like putting everybody's apps in danger, so I'll keep the details to myself for now.

Trust me this query is weak. Use my advice if this is something you'll develop and also use QUOTENAME SQL function if you are dead serious about security.

PS: Selecting everything is bad by it's own, even if further checks are performed. All it takes is an ethereal on the network and all passwords are at hand, including admin ones.

Edited by adam_k because: n/a
Member Avatar for rosstafarian

im hoping to do a degree in computer security so i wouldnt mind knowing if you could possibly PM me?

Member Avatar for bigzos 
Imports System.Data.OleDb
Public Class Form8

    Private Sub Button2_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button2.Click
        Me.Close()
    End Sub

    Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        Dim con As New OleDbConnection("Provider=Microsoft.jet.oledb.4.0;data source=C:/Users/Space Era/Documents/User.mdb")
        Dim cmd As OleDbCommand = New OleDbCommand("update users SET password = '" & TextBox1.Text & "' WHERE userid = '" & TextBox4.Text & "' AND password = '" & TextBox2.Text & "' ", con)

        con.Open()
        Try

            If (TextBox1.Text = TextBox3.Text) Then
                cmd.ExecuteReader()
                MsgBox("password changed")

            Else


                MessageBox.Show("Invalid username or password!")
            End If
        Catch ex As Exception

            MsgBox(ex.Message, MsgBoxStyle.Critical, "Oledb Error")

        End Try

    End Sub
End Class

Output:Syntax error in update statement

Edited by mike_2000_17 because: Fixed formatting
Member Avatar for adam_k 
cmd.ExecuteReader()

This won't work with an update statement, you need a nonquery.

On a different note: If you don't want to allow blank passwords, you might need to check the new pass value.

Member Avatar for bigzos

still it shows syntax error in update

Member Avatar for bigzos 
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        
        If (TextBox1.Text = TextBox3.Text) Then
            Try
                Dim con As New OleDbConnection("Provider=Microsoft.jet.oledb.4.0;data source=C:/Users/Space Era/Documents/User.mdb")
                Dim cmd As OleDbCommand = New OleDbCommand("Update Users Set password = '" & TextBox1.Text & "' where userid = '" & TextBox4.Text & "' ", con)

                con.Open()


                cmd.ExecuteNonQuery()
                MsgBox("password changed")



            Catch ex As Exception

                MsgBox(ex.Message, MsgBoxStyle.Critical, "Oledb Error")

            End Try
        End If

    End Sub
End Class

Output: syntax error in update statement

how do i correct this??

Edited by bigzos because: n/a
Member Avatar for bigzos 
cmd.ExecuteReader()

This won't work with an update statement, you need a nonquery.

On a different note: If you don't want to allow blank passwords, you might need to check the new pass value.

I have modified my code to the following.....still i am getting the same syntax error in update statement..i would be greatful for any concerned suggestions..i need to complete this module quickly

Public Class Form8

    Private Sub Button2_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button2.Click
        Me.Close()
    End Sub

    Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        If TextBox1.TextLength < 5 Then
            MsgBox("The New Password Should be of Atleast 5 Characters")
            TextBox1.Text = ""
            TextBox3.Text = ""
        ElseIf TextBox2.Text = TextBox1.Text Then
            MsgBox("The New Password is Same As Old Password")
            TextBox1.Text = ""
            TextBox1.Focus()
        ElseIf (TextBox1.Text = TextBox3.Text) Then

            Try
                Dim con As New OleDbConnection("Provider=Microsoft.jet.oledb.4.0;data source=C:/Users/Space Era/Documents/User.mdb")
                Dim ds1 As New DataSet

                Dim da1 As New OleDbDataAdapter("select * from Users where userid='" & Trim(TextBox4.Text) & "'and password='" & Trim(TextBox2.Text) & "'", con)

                If da1.Fill(ds1) Then

                    Dim ra As Integer
                    Dim cb As OleDbCommand
                    con.Open()
                    cb = New OleDbCommand("Update Users Set password='" & TextBox1.Text & "' where userid='" & TextBox4.Text & "'", con)
                    ra = cb.ExecuteNonQuery()
                    MessageBox.Show("Password Changed Successfully,Now Login into System")
                    con.Close()
                    Form2.Show()
                    Me.Hide()
                Else
                    MsgBox("Invalid Password or Username")

                End If

            Catch ex As Exception
                MsgBox(ex.Message)
            End Try
        End If
       
    End Sub
End Class
Member Avatar for debasisdas

run the command in backend and check if that works for you.

Member Avatar for bigzos

made a few changes in the sql query string and it worked...yay...thnx all..

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.