1

I have some Contained DB users in SQL Server 2017. In C# I am trying to execute a SQL command to change the password of a particular one of these users. The DB connection has permission to do this and does not require me to know the current password of the user in order to do so. 

var sqlStatement = $"ALTER USER {userName} WITH PASSWORD = '@Password';";

        using (var cmd = new SqlCommand(sql, sqlConnection))
        {
            cmd.CommandType = CommandType.Text;
            //cmd.Parameters.Add("@UserName", SqlDbType.NVarChar).Value = userName;
            cmd.Parameters.Add("@Password", SqlDbType.NVarChar).Value = password;

            var rowsAffected = cmd.ExecuteNonQuery();
        }

Above is the code I had been using. Running a trace on what was produced shows the command to be:

exec sp_executesql N'ALTER USER UserName1 WITH PASSWORD = ''@Password'';',N'@Password nvarchar(18)',@Password=N'Hqc5w7m98s4J!9'

This does not error at all, in fact it seems to work. But when I attempt to login (before the password change I could log in fine) I cannot do so. It appears to have changed the password but not to the one I specified. If I run the following command instead (no parameters in C#, just string building):

ALTER USER [UserName1] WITH PASSWORD = 'Hqc5w7m98s4J!291'

Then I am now able to login again with the new password. I cannot seem to find out what is happening in the first case? Why is it not changing the password as I expect? I've tried a few variations of it to try and get it to work using parameters but no luck. I don't want to just use the parameterless version of course but have spent around 5 hours looking at this already.

Improve this question
5
  • Remove the quotes around '@Password' - you're setting the password to the string @Password, not the value of the variable. Commented Aug 29, 2018 at 15:24
  • 1
    @Larnu Contained users have passwords. Commented Aug 29, 2018 at 15:26
  • Missed that (how I have no idea), thanks for the correction @LukaszSzozda. Commented Aug 29, 2018 at 15:26
  • @Diado you cannot do that, get the error Msg 102, Level 15, State 1, Line 11 Incorrect syntax near '@Password'. Though you are right, it is changing the password to @Password. Commented Aug 29, 2018 at 15:30
  • Possible duplicate of How to change a sql login password with variables Commented Aug 29, 2018 at 15:40

1 Answer 1

Reset to default
2

Alter User may not work with traditional parameterization.

string sqlStatement = @"
DECLARE @sql NVARCHAR(500)
SET @sql = 'ALTER USER UserName1 WITH PASSWORD= ' + QuoteName(@Password, '''') 
EXEC(@sql)";

using (var cmd = new SqlCommand(sqlStatement , sqlConnection))
{
    cmd.Parameters.Add("@Password", SqlDbType.NVarChar).Value = password;
    // execute...
}
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Excellent use of QUOTENAME.
Thanks, this worked, though I had to put parentheses around the @sql in the EXEC statement to avoid an error. Is there any documentation on why traditional parameterization does not work then? Is this a bug with SQL that might be resolved?
I believe this is just a problem with string literals. The ALTER USER command expects single quotes when changing the password, however when quotes are surrounding a @param it doesn't get properly replaced. A bit of an edge case, but this way you still avoid injection problems.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.