Bug #36159 Problem with 'GetPassword' is Membership provider
Submitted: 16 Apr 2008 21:14 Modified: 16 May 2008 13:15
Reporter: Lynn Eriksen Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / NET Severity:S2 (Serious)
Version:5.1.5 OS:Any
Assigned to: CPU Architecture:Any

[16 Apr 2008 21:14] Lynn Eriksen
Description:
The MembershipProvider throws an error when enablePasswordRetrival = true and RequireQuestionAndAnswer = false.

This is due to a combination of null values in the database and calling 'reader.GetString' when retrieving values from. Calling this method on the reader throws an error if null. Using 'Convert.ToString' does not raise the error. An error should then be raised if the answer fails the test if 'RequiresQuestionAndAnswer' is required.

How to repeat:
Set the params to the way I have them above, create a member and then try to call 'GetPassword' with a null value for answer.

Suggested fix:
Replace:

string password = reader.GetString(0);
string passwordAnswer = reader.GetString(1);
string passwordKey = reader.GetString(2);

With:

string password = Convert.ToString(reader[0]);
string passwordAnswer = Convert.ToString(reader[1]);
string passwordKey = Convert.ToString(reader[2]);
[25 Apr 2008 19:30] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/46046
[25 Apr 2008 19:32] Reggie Burnett
Fixed in 5.1.6, not a bug in 5.2
[16 May 2008 13:15] MC Brown
A note has been added to the 5.1.6 changelog: 

The MembershipProvider will raise an exception when the connection string is configured with enablePasswordRetrival = true and RequireQuestionAndAnswer = false.