3

If you please help me out i have an error in my code that i can not understand it.

the error is:

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Incorrect syntax near 'Login'.

and my code:

 public static void ChangePassword(string login, string password)
    {
        var sqlCon = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString);
        string query = @"update Organizer set Password ="+ password + "where Login=" + login + "";
        SqlCommand cmd = new SqlCommand(query, sqlCon);
        cmd.CommandType = CommandType.Text;
        try
        {
            sqlCon.Open();
            cmd.ExecuteNonQuery();
            sqlCon.Close();
        }
        catch (Exception ee) { throw ee; }
    }
Improve this question
0

4 Answers 4

Reset to default
4
  • We've seen enough sql injection attacks, we don't need another one, please fix your code and use parameters.
  • Use using blocks to avoid leaking connections.
  • Install an exception handler like ELMAH.

  • Don't save passwords in the database

    using (var sqlCon = new SqlConnection(...))
{
    string query = @"update Organizer set Password =@password where Login=@login";
    SqlCommand cmd = new SqlCommand(query, sqlCon);
    cmd.CommandType = CommandType.Text;
    cmd.Parameters.Add("@password", SqlDbType.VarChar, 8000);
    cmd.Parameters["@password"].Value = password;  
    cmd.Parameters.Add("@login", SqlDbType.VarChar, 8000);
    cmd.Parameters["@login"].Value = login;  

    sqlCon.Open();
    cmd.ExecuteNonQuery();
    sqlCon.Close();

    }

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

+111111 to -all- the points Remus has said. PLEASE for the sake of humanity, heed his words!
4

Try

string query = @"update Organizer set Password ='"+ password + "' where Login= '" + login + "'";

You are missing the ' around string, that being said you are likely very open to sql injection attacks ( Im guessing because of the code, and lack of a clearing function).

Also make sure your not storing passwords in plain text :)

The ' is used like " in sql.

Improve this answer

3 Comments

@emilios - This may work, but leads to dangerous code. You should check out parameterized queries to remove the security hole.
@Justin Niessner is correct, you either need to check yourself to security holes or use the built in systems.
Parameterized queries and unencrypted passwords are only part of the problem. He's rolling his own authentication system. That won't end well.
3

If you were going to use the code above, your issue is that you're not wrapping the new password or login in single quotes:

 string query = 
     @"update Organizer set Password = '" + 
       password + 
       "' where Login= '" + login + "'";

But I wouldn't use that code at all. It's quite dangerous since it allows people to pass in arbitrary SQL. I would use parameterized queries instead:

var query = "update organizer set password = @password where login = @login";
var command = new SqlCommand(query, sqlCon);

command.Parameters.Add("@password", SqlDbType.VarChar, 100, password);
command.Parameters.Add("@login", SqlDbType.VarChar, 100, login);
Improve this answer

2 Comments

Never use command.Parameters.Add with a string. It will add the parameter as NVARCHAR and the rules of data type precedence will force the WHERE clause to ignore any index on the filtered column. Always use explicit SqlDbType and force the appropriate type. A second issue is that this pattern adds parameters of the exact length of the string and this causes unnecessary cache polution because SQL plans cannot be reused across different input types, and parameters with different lengths mean different types. Always use an explicit length.
@Remus - You learn something new every day. Thanks for the insight. Updated.
0

You need single quotes...

set Password = ' /*<---*/ "+ password + "' /*<---*/  where Login=' /*<---*/ " + login + "' /*<---*/ "
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.