4

How do I verify in the most right way the username and password that were inputted by the user to the database?

In c++, we used to verify by using if-else:
    if((user == "username")&&(pass == "password")){
             cout<<"You are now logon!";
    }

In java-mysql I'm not sure if I'm on the right track:

Login Button

private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {
        // TODO add your handling code here:

        user = jTextField1.getText();
        pass = jPasswordField1.getPassword();
        login();
}

Method/function

private void login() {

        try {
                if (user != null) {
                sql = "Select * from users_table Where username='" + user + "'";
                rs = stmt.executeQuery(sql);

                rs.next();
                username = rs.getString("username");
                password = rs.getString("password");

            }
        } 
    catch (SQLException err) {
            JOptionPane.showMessageDialog(this, err.getMessage());
        }

}

If the username and password that inputted by the user matched with the ones in the database then he will be directed to a new jFrame else message dialog will popup saying invalid username or password. Can someone help me with my codes, I don't know how to use the if-else statement with mysql;

Thanks! :)

Improve this question
2
  • 4
    you save passwords in clear text? hope this is not going to be deployed. Commented Feb 21, 2013 at 6:28
  • You're not using PreparedStatement to guard against SQL injection...you're getting the values back in plaintext...well, those are the two major issues I see. I also don't see where you're actually doing any comparison on the value of the password. Commented Feb 21, 2013 at 6:53

5 Answers 5

Reset to default
2

Implement the below code:

private void login() {
    try {
        if (user != null && pass != null) {
            String sql = "Select * from users_table Where username='" + user + "' and password='" + pass + "'";
            rs = stmt.executeQuery(sql);
            if (rs.next()) {
                //in this case enter when at least one result comes it means user is valid
            } else {
                //in this case enter when  result size is zero  it means user is invalid
            }
        }

        // You can also validate user by result size if its comes zero user is invalid else user is valid

    } catch (SQLException err) {
        JOptionPane.showMessageDialog(this, err.getMessage());
    }

}
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

This will work but it is dangerous as it allows easy SQL injection. You should be using PreparedStatement instead of concating select script on your own. So: connection.prepareStatement("select * from user_table where username = ? and password = ?"); p.setString(1, "Tom") ....
This solution showcases two extremely bad practices: concatenating dirty strings allowing SQL injection, and assuming that passwords are stored verbatim in the database. As is, it's actively harmful.
Besides issues with SQL injection, and plain text passwords, in java is recommended to use char[] instead of String for passwords
Username: admin Password: ' OR password <> '
2
  • Always store Hash encrypted passwords in database, refer JASYPT for more details on encrypting passwords
  • Encrypt the password entered by the user and compare the two encrypted passwords
  • Use parametrized queries while querying database
Improve this answer

1 Comment

Remember that hashing is not encryption. You should store hashed passwords. JASYPT have the right idea, i.e. salt + iterate your hash.
0

you don't have to do anything with mySQL anymore. You already have the credentials. One Example:

if ((user.equals(username)) && (pass.equals(password))) {
   JFrame newFrame = new JFrame();
} else {
   JOptionPane.showMessageDialog(null, "alert", "alert", JOptionPane.ERROR_MESSAGE); 
}
Improve this answer

3 Comments

user and password are the user's input right? then username and password are the resultsets? username = rs.getString("username"); password = rs.getString("password"); right? @_@
uhm...according to YOUR source... user and pass are the user entries, password and username thefields from the database...
strings should be compared with equals not with ==.
0

Use prepared statements along with a library like DButils which would simplify your work a lot.

In addition, don't use substitution pass parameters such as select name from members where code =?. If you have many parameters, create a array of objects and pass them in a object array such as Objects[] parms = {code1,code2}.

Improve this answer

Comments

-1 
if (username.length()>0 && password.length()>0)
{
    String query = "Select * from adminlogin Where Username='" + username + "' and Password='" + password + "'";

    rs = sta.executeQuery(query);

   if (rs.next()) 
   {

        home hme=new home();
        this.setVisible(false);
        hme.setVisible(true);
   } 
   else 
   {
       JOptionPane.showMessageDialog(null,"username and password are wrong ");
   }
}
else
{
      JOptionPane.showMessageDialog(null,"please field username and password ");
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.