1

I am trying to create a single login system for staff and managers I have my database setup correctly and my java code connects to the database correctly. The issue I am having is when the user logins in as staff, based on the username in the database then a staff window will appear or if a manager is trying to login again based on their username in the database a manager window will appear

for example for staff the username in the database looks like this staff1, staff1 ,etc and for manager its similar mng1,mngr2, etc.

I kind of have the code working but it only loads the manager view for some reason. 

final Statement s = conn.createStatement ();    

ResultSet rs= s.executeQuery ("SELECT * FROM users where username='"+username1+"' && password='"+psw+"'");
String mng1="mng*";
String staff="staff*";
String pass1="";

while (rs.next ())
{                                      
    mng1 = rs.getString ("");
    staff =rs.getString ("");
    pass1 = rs.getString ("password");

    if(username1.equals(mng1)&&psw.equals(pass1))
    {
        ManagerMainMenu mng= new ManagerMainMenu();
        mng.main(null);
        //System.out.println("its working");
    }
    else if(username1.equals(staff)&&psw.equals(pass1))
    {
        TakingOrder to = new TakingOrder();
        to.main(null);
    }
    else
    {
        System.out.println("password or username is wrong");
    }
}
Improve this question

1 Answer 1

Reset to default
2

Well as a matter of fact here the answer to your problem 

if(username1.equals(mng1)&&psw.equals(pass1)){ 
 mng= new ManagerMainMenu()

This condition seems to be always true in your case either your username1 is null or empty or something else and the password is correct perhaps too. You are not doing anything with your username not visible in the code. The rs.getString("") returns you null most likely. so you're just nullifying them. Don't use selects like select * from whatever this is a bad thing to do especially on big tables and not really visible what you're selecting.

But you should follow the advise and use the techniques and/or some good ORM like hibernate or use good old springjdbc perhaps. :)

First of all I would strongly recommend to use prepared statements http://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html It might help you also to avoid sql injection as well should utilize database's resources in a better way as the sql goes already pre-compiled into the db.

Here's some live example.

static public void setParameters(PreparedStatement preparedStatement, Object[] params)
        throws SQLException
{      

    if (params != null)
    {
        for (int i = 0; i < params.length; i++)
        {
            if (params[i] == null)
            {
                preparedStatement.setNull(i + 1, Types.INTEGER);
                continue;
            }
            String className = params[i].getClass().getName();
            if (className.compareTo("java.lang.String") == 0)
            {
                preparedStatement.setString(i + 1, (String) params[i]);
            }
            else if (className.compareTo("java.lang.Integer") == 0)
            {
                preparedStatement.setInt(i + 1, ((Integer) params[i]).intValue());
            }
      ...............///your types go here
      }

    }
}

public static ResultSet sqlSelect(Connection con, String sql, Object[] params) throws SQLException
{
    ResultSet rs = null;
    PreparedStatement preparedStatement = con.prepareStatement(sql);
    try
    {
        setParameters(preparedStatement, params);///your parameters
        rs = preparedStatement.executeQuery();
        logger.info(rs.toString());
    }
    catch (SQLException e)
    {
        //TODO log.error("select failed: " + preparedStatement.toString());
        throw e;
    }
    return rs;
}

    public static UserInfo getUser(String username,String pass)
    {
        UserInfo user=null;
        Connection con=null;
   ////     logger.info("user: "+username+" pass: "+pass); if you want to
        String query = "SELECT  id,username,password,email,name,company,description,enabled" +
                " FROM users WHERE username=? and  password=? and enabled=true;";

try{
            con = DBManager.getConnection();
            ResultSet rs = DBManager.sqlSelect(con,query,new String[]{username,pass});

            while(rs != null && rs.next())
            {
                user = new UserInfo();

                user.setId(rs.getInt(1));
                user.setUsername(rs.getString(2));
                user.setPassword(rs.getString(3));
                user.setEmail(rs.getString(4));
                user.setFullName(rs.getString(5));
                user.setCompany(rs.getString(6));
                user.setDescription(rs.getString(7));
                user.setEnabled(rs.getBoolean(8));

       logger.info("user written");

            }
        }catch(SQLException sqle){logger.info(sqle.getMessage());}
        finally
        {
            if(con != null)
                DBManager.freeConnection(con);
        }
        return user;    }

If the method returns your user with your settings the user is valid. You might want to have users and permissions or groups tables then you should create one many-to-many table like users_permissions or users_groups if you like which will have (id,user_id,permission_id) or group_id and then you will have to join these two tables users,permissoins using this many-to-many table. something like this

select u.user_id,p.permission from
users u,user_permissions up,permissions p
where u.user_id=up.user_id and up.permission_id=p.permission_id
and u.user=? and u.password=? and u.enabled=1

or using joins :

select u.user_id,p.permission from
users u 
inner join user_permissions up
on  u.user_id=up.user_id
inner join permissions p
on up.permission_id=p.permission_id
where u.user=? and u.password=? and u.enabled=1

and you adjust your select and getUser() method.

UserInfo pojo something like:

public class UserInfo {
    private int id;
    private String username;
    private String password;
    private String email;
    private String fullName;
    private String company;
    private String description;
    private List<Integer or String> permissions;
//getters//setters
}

hope it helps abit.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This is completely thrown me off. I guess I need to do some research into this.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.