Send Forget Password using E Mail in Asp.Net

Question

i am using a asp.net framework for sending a forget password through E-Mail . but i think there's some problem in my code. please help . The button_click event code is give below.

        protected void frgtbtn_Click(object sender, EventArgs e)
          {
             string st = "select E_mail FROM registraion_master WHERE E_mail='" +     Email.Text + "'";

           cmd = new SqlCommand(st, sqlcon);
           cmd.Connection.Open();
           SqlDataAdapter sda = new SqlDataAdapter(cmd);
           DataSet ds=new DataSet();
           sda.Fill(ds);
           cmd.Connection.Close();
           if(ds.Tables[0].Rows.Count > 0)
              {
                 MailMessage email = new MailMessage();
                 email.From = new MailAddress(Email.Text); //Enter sender email address.
                 email.To.Add(Email.Text); //Destination Recipient e-mail address.
                 email.Subject = "Your Forget Password:"; //Subject for your request.
                 email.Body = "Hi,Your Password is: " + ds.Tables[0].Rows[0]["Pwd"] + "";

                 email.IsBodyHtml = true;
                 //SMTP SERVER DETAILS
                 SmtpClient smtpc = new SmtpClient("smtp.gmail.com");
                 smtpc.Port = 587;
                 smtpc.UseDefaultCredentials = false;
                 smtpc.EnableSsl = true;
                 gmail_ID.Text = "anuragdixit132@gmail.com";//Enter your gmail id here
                 gmail_pwd.Text="vineet";//Enter your gmail id here
                 smtpc.Credentials = new   NetworkCredential(gmail_ID.Text,gmail_pwd.Text);
                 smtpc.Send(email);
                 string script = @"<script language=""javascript""> alert('Password Has Been Sent.......!!!!!.');
                 </script>;";
                 Page.ClientScript.RegisterStartupScript(this.GetType(), "myJScript1", script);
                }
              else
                {
                pwdlbl.Text = "This email address is not exist in our Database try again";
                }

in this code : there is an exception occour: Column 'Pwd' does not belong to table Table.

Answer 1

The shortest way to reproduce your problem:

   string st = "select E_mail FROM registraion_master WHERE E_mail='" +     Email.Text + "'";
   cmd = new SqlCommand(st, sqlcon);
   cmd.Connection.Open();
   SqlDataAdapter sda = new SqlDataAdapter(cmd);
   DataSet ds=new DataSet();
   sda.Fill(ds);
   cmd.Connection.Close();
   ds.Tables[0].Rows[0]["Pwd"];

It is clear that you are quering the db only for E_mail and not Pwd. If the Pwd is part of the registraion_master table than the solution can be:

  string st = "select E_mail,Pwd FROM registraion_master WHERE E_mail='" +     Email.Text + "'";

However I hope the pwd is not saved in plaintext. And start using parameterized queries, your query is subject to sql injection. And I guess that you also have cross site scripting problems when displaying user input on your screens, you have that cross site scripting when you are sending the password to a user...