Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / General / January 2006

Tip: Looking for answers? Try searching our database.

User login

Thread view: 
Enable EMail AlertsStart New Thread
sconeek@gmail.com - 10 Jan 2006 22:13 GMT
hi all,

i am trying to implement the user login for my web app. my java code is
talking to a postgres table which contains the usernames and passwords
(unencrypted). however i am struggling to write it. could somebody
please provide me with some help in this.

my understanding is that it should be a query to the database if the
username matches then compare the password. and if both match then
provide access otherwise not.

thanks heaps.
Reply to this Message
Oliver Wong - 10 Jan 2006 22:43 GMT
> hi all,
>
[quoted text clipped - 6 lines]
> username matches then compare the password. and if both match then
> provide access otherwise not.

   Yes, this will probably do it.

   What I usually do is have the password in the DB hashed (via MD5, for
example). Take the username and password provided by the user, hash the
password in Java, then send the username and hashpassword to the DB, asking
for any rows that match. If you've got 0 rows as a result, then the user
doesn't exist or entered in an incorrect password. If you've got 1 row as a
result, then the user gave the correct password. If you've got more than 1
row, then you've got problems.

   If you do the above approach, make sure to hash the code in java, and
not, for example, in your SQL query. E.g.:

<badCode>
query = "select * FROM user WHERE username = '" + userName + "' and password
= md5('"+password+"')";
</badCode>

<betterCode>
query = "select * FROM user WHERE username = '" + userName + "' and password
= '"+md5(password)+"'";
</betterCode>

   The problem with the bad code is you'd be sending the password as clear
text to the database engine. Also, you probably shouldn't directly use
string appending, as above, or else you make yourself vulnerable to query
injection. If your DB driver supports it, you should definitely use
parameterized queries.

   - Oliver
Reply to this Message
sconeek@gmail.com - 10 Jan 2006 23:12 GMT
i agree with you oliver.
however i am struggling to access that table within the DB. i might try
the encryption once i get everything else to work.
now so far i have got this,
final Connection conn = null;

Statement stmt = conn.createStatement();
String sqlSelect = very similar to what you have provided

String strSQL = sqlSelect;
Debug.println(strSQL);
ResultSet rs = stmt.executeQuery(strSQL);

but i am unable to check for user access. can you please detail your
solution a little bit more.

thanks again.
Reply to this Message
Oliver Wong - 11 Jan 2006 15:32 GMT
>i agree with you oliver.
> however i am struggling to access that table within the DB. i might try
[quoted text clipped - 13 lines]
>
> thanks again.

   How similar is your statement to mine? And what exactly is the problem?
Does it throw an exception or something? Is the result size always 7?
Something else?

   - Oliver
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.