Click here to Skip to main content
15,891,905 members
Search within:


save password to database
Please Sign up or sign in to vote.
2.33/5 (2 votes)
See more:
C#
ASP.NET
MVC3
Hello,
Please help me with this
C#
public class Password
    {
        
        // method to generate random Password
        public static string GeneratePassword()
        {
            string PasswordLength = "5";
            string NewPassword = "";
            string allowedChars="";
            allowedChars = "1,2,3,4,5,6,7,8,9,0";
            allowedChars += "A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z,";
            allowedChars += "a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,";
            allowedChars += "~,!,@,#,$,%,^,&,*,+,?";
        
            // seperation of characters
            char[] sep = { ',' };
            string[] arr = allowedChars.Split(sep);

            string IDString = "";
            string temp = "";

            Random rand = new Random();
            for (int i = 0; i < Convert.ToInt32(PasswordLength); i++)
            {
                temp = arr[rand.Next(0, arr.Length)];
                IDString += temp;
                NewPassword = IDString;
               
            }
             return NewPassword;
        }

C#
    // Method to save NewPassword to Database's [Users table]

    public static void SavePasswordToDB()
    {
        SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["MyDBConnectionString"].ToString());

        string strNewPassword = GeneratePassword().ToString();
        SqlCommand cmd = new SqlCommand("INSERT INTO dbo.Users(UserPassword) Values(strNewPassword)", con);
        con.Open();
        cmd.ExecuteNonQuery();
        con.Close();
    }
}

I am getting the following error:

The name "strNewPassword" is not permitted in this context. Valid expressions are constants, constant expressions, and (in some contexts) variables. Column names are not permitted.

What should i pass in Values() ??

Thank you.
Posted
Add a Solution

2 solutions

Okay, two things.

One, you're passing this string:
C#
"INSERT INTO dbo.Users(UserPassword) Values(strNewPassword)"


So obviously it won't know what strNewPassword is.

To fix that, make sure you pass the values. But please, use parameters for that (disclaimer: I haven't compiled this, but it should work):

C#
try
{
    con.Open();
    using(SqlCommand cmd = new SqlCommand("INSERT INTO dbo.Users(UserPassword) Values(@password)", con))
    {
        cmd.Parameters.AddValue("@password", strNewPassword);
        cmd.ExecuteNonQuery();
    }
}
finally
{
    if (con != null) con.Close();
}


This is a much safer way than using a String.Format or something similar. Because that would leave you open to SQL injection (though perhaps not in this case, it's still good practice to do so). And it's a lot easier to use anyway in my opinion. More info on the subject[^]

But the second thing (and perhaps the most important): Why are you storing an unencrypted password in your database??
 
Share this answer
 
Posted
Updated 4-Sep-13 2:53am
v3
Comments
saurabh kumar mahto 4-Sep-13 9:16am    
Thanks ^Mo^ for your valuable solution.
Can you please help with the encryption logic as well..

Thanks a lot.
Maarten Kools 4-Sep-13 17:59pm    
Sorry for the late reply, been a bit busy. When storing a password you want to do it one way only, so when someone manages to get a hold of the database, it isn't easily decrypted. For an example on how to do it, refer to this site: Salted Password Hashing - Doing it Right[^]. It explains the how and why, and it has some C# example code as well.
saurabh kumar mahto 6-Sep-13 3:20am    
thanks ^Mo^
you have to use these lines....


public static void SavePasswordToDB()
        {
            SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["MyDBConnectionString"].ToString());
 
            string strNewPassword = GeneratePassword().ToString();
            SqlCommand cmd = new SqlCommand("INSERT INTO dbo.Users(UserPassword) Values('" + strNewPassword + "')", con);
            con.Open();
            cmd.ExecuteNonQuery();
            con.Close();
        }
    }
 
Share this answer
 
Posted
Comments
Dave Kreskowiak 4-Sep-13 9:11am    
Using string concatentation to build a non-parameterized query? Yeah, that's a big mistake.
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Xamarin save data to database
encrypt password and save in database
how to encrypt password to save to xml and database in asp.net
Code password for database
How to save the dataset.acceptchanges( ) to database
How to Save upload file with the name of the ID in the database to have unique name
data not save in database
Alert for wrongly inserting password
password of database
Save and extract fmd in fingerprint to database

Advertise
Privacy
Cookies
Terms of Use
Last Updated 4 Sep 2013
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web04 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900