0

I'm trying to build a login UI with Java. But there is a problem with my SQL authentication

Here's the code:

    public void actionPerformed(ActionEvent e){
            if (e.getSource() == Login)

                    try {
                Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
                Connection con=DriverManager.getConnection("jdbc:odbc:MessageStore","sa","12345"); 
                Statement cmd=con.createStatement(); 
                ResultSet rs=cmd.executeQuery("select * from UserList where UserName='"+nameText.getText());
    }

But there is a warning with "rs": The value of the local variable rs is not used

How to solve this problem?

Or is there more straightforward code to implement SQL authentication?

Thank you

Improve this question
2
  • 1
    The database values can get from ResultSet you have to iterate through it. Commented Apr 14, 2012 at 8:43
  • 1
    That's open to SQL injection. You must escape the string, or use a prepared statement. Also, the warning is happening because you're not using rs. If you're not going to use rs, then just don't assign the return to rs. You do need to use it though, because you need to use it to either check if a row exists, or more likely check if a password is correct. Also, you might want to be careful about letting people connect to your SQL server directly. That can be a security hole if someone you don't expect to do so connects to it outside of your application. Commented Apr 14, 2012 at 8:51

2 Answers 2

Reset to default
1

In most cases of "The value of variable X is not used" you can choose to ignore the message or remove the assignment to it. In those cases you do nothing with the value.

In this case however, you only perform a query on the database, but never do anything with the result. So you don't know if the user you are trying to validate is indeed a valid user.

So, you must use the variable "rs" to check if there is indeed a result and the user is allowed to login.

public void actionPerformed(ActionEvent e){
  if (e.getSource() == Login){
    try {
      Class.forName("sun.jdbc.odbc.JdbcOdbcDriver"); // may not be needed since JDBC4
      Connection con=DriverManager.getConnection("jdbc:odbc:MessageStore","sa","12345"); 
      PrePareStatement cmd=con.prepareStatement("select * from UserList where username=?"); // safer, protect against 
      cmd.setString(1,nameText.getText());
      ResultSet rs=cmd.executeQuery();
      if( rs.next() ){
        // username does exist, now check the password
      }else{
        // username does not exist
      }
    }catch(Exception e){}
  }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

You sneakily included a prepared statement, which is a big plus, since the string concatenation in OPs post is bad practice. It's unsecure due to SQL injection.
0

Make ResultSet as global variable.

public void actionPerformed(ActionEvent ae) {
if (ae.getSource() != null) {
String connectionUrl = "jdbc:sqlserver://localhost:1420;" + "databaseName=TestsampleDB1;";
Connection con = null;
Statement stmt = null;
ResultSet rs = null;
try {
    Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
    System.out.println("Driver okay");
    con = (Connection) DriverManager.getConnection("jdbc:odbc:MessageStore", "sa", "12345");
    System.out.println("Connection Made");
    PreparedStatement cmd = con.prepareStatement("select * from UserList where username=?");

    if (rs.next()) {
        // login user exist
    } else {
    // user doesn't exist}
    }
} catch (Exception e) {
    e.printStackTrace();
  }

} }

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.