User login

[sconeek]

hi all,

i am trying to implement the user login for my web app. my java code is
talking to a postgres table which contains the usernames and passwords
(unencrypted). however i am struggling to write it. could somebody
please provide me with some help in this.

my understanding is that it should be a query to the database if the
username matches then compare the password. and if both match then
provide access otherwise not.

thanks heaps.

 

[Oliver Wong]

hi all,

i am trying to implement the user login for my web app. my java code is
talking to a postgres table which contains the usernames and passwords
(unencrypted). however i am struggling to write it. could somebody
please provide me with some help in this.

my understanding is that it should be a query to the database if the
username matches then compare the password. and if both match then
provide access otherwise not.

Yes, this will probably do it.

What I usually do is have the password in the DB hashed (via MD5, for
example). Take the username and password provided by the user, hash the
password in Java, then send the username and hashpassword to the DB, asking
for any rows that match. If you've got 0 rows as a result, then the user
doesn't exist or entered in an incorrect password. If you've got 1 row as a
result, then the user gave the correct password. If you've got more than 1
row, then you've got problems.

If you do the above approach, make sure to hash the code in java, and
not, for example, in your SQL query. E.g.:

<badCode>
query = "select * FROM user WHERE username = '" + userName + "' and password
= md5('"+password+"')";
</badCode>

<betterCode>
query = "select * FROM user WHERE username = '" + userName + "' and password
= '"+md5(password)+"'";
</betterCode>

The problem with the bad code is you'd be sending the password as clear
text to the database engine. Also, you probably shouldn't directly use
string appending, as above, or else you make yourself vulnerable to query
injection. If your DB driver supports it, you should definitely use
parameterized queries.

- Oliver

 

[sconeek]

i agree with you oliver.
however i am struggling to access that table within the DB. i might try
the encryption once i get everything else to work.
now so far i have got this,
final Connection conn = null;

Statement stmt = conn.createStatement();
String sqlSelect = very similar to what you have provided

String strSQL = sqlSelect;
Debug.println(strSQL);
ResultSet rs = stmt.executeQuery(strSQL);

but i am unable to check for user access. can you please detail your
solution a little bit more.

thanks again.

 

[Oliver Wong]

i agree with you oliver.
however i am struggling to access that table within the DB. i might try
the encryption once i get everything else to work.
now so far i have got this,
final Connection conn = null;

Statement stmt = conn.createStatement();
String sqlSelect = very similar to what you have provided

String strSQL = sqlSelect;
Debug.println(strSQL);
ResultSet rs = stmt.executeQuery(strSQL);

but i am unable to check for user access. can you please detail your
solution a little bit more.

thanks again.

How similar is your statement to mine? And what exactly is the problem?
Does it throw an exception or something? Is the result size always 7?
Something else?

- Oliver