Bug #36159 Problem with 'GetPassword' is Membership provider
Submitted: 16 Apr 2008 23:14 Modified: 16 May 2008 15:15
Reporter: Lynn Eriksen
Status: Closed
Category:Connector/Net Severity:S2 (Serious)
Version:5.1.5 OS:Any
Assigned to: Target Version:

[16 Apr 2008 23:14] Lynn Eriksen 
Description:
The MembershipProvider throws an error when enablePasswordRetrival = true and
RequireQuestionAndAnswer = false.

This is due to a combination of null values in the database and calling 'reader.GetString'
when retrieving values from. Calling this method on the reader throws an error if null.
Using 'Convert.ToString' does not raise the error. An error should then be raised if the
answer fails the test if 'RequiresQuestionAndAnswer' is required.

How to repeat:
Set the params to the way I have them above, create a member and then try to call
'GetPassword' with a null value for answer.

Suggested fix:
Replace:

string password = reader.GetString(0);
string passwordAnswer = reader.GetString(1);
string passwordKey = reader.GetString(2);

With:

string password = Convert.ToString(reader[0]);
string passwordAnswer = Convert.ToString(reader[1]);
string passwordKey = Convert.ToString(reader[2]);
[25 Apr 2008 21:30] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/46046
[25 Apr 2008 21:32] Reggie Burnett 
Fixed in 5.1.6, not a bug in 5.2
[16 May 2008 15:15] MC Brown 
A note has been added to the 5.1.6 changelog: 

The MembershipProvider will raise an exception when the connection string is configured
with enablePasswordRetrival = true and RequireQuestionAndAnswer = false.