Check login string against password (MySQL & JDBC)

Question

I know there's plenty of other questions out there with a similar topic but I can't find one that creates a solution to my specific problem. I have a Java Application that connects via JDBC to Lamp for a Uni project and I'm trying to compare the inputted password to the password related to the login they also entered in the MySQL database. I have a hashing (MD5) method that will hash the users input but it keeps throwing a null pointer exception and I can't fix it!

on button press code:

private void loginButtonActionPerformed(java.awt.event.ActionEvent evt) {                                            
    String pass = passTextField.toString();
    try {
        try {
            lModel.checkLogin(loginTextField.getText(), pass);
        } catch (NoSuchAlgorithmException ex) {
            Logger.getLogger(MainFrame.class.getName()).log(Level.SEVERE, null, ex);
        }
    } catch (SQLException se) {
        System.out.println(se.toString());
    }
}            

Hashing method (and related variables):

private Logins l;
private String password;

public String hashPass(String pass) throws NoSuchAlgorithmException {
    MessageDigest mdEnc = MessageDigest.getInstance("MD5"); 
    mdEnc.update(password.getBytes(), 0, password.length());
    String md5 = new BigInteger(1, mdEnc.digest()).toString(16); // Encrypted 
    return md5;
}

Check Login method (without connection String for privacy):

public void checkLogin(String login, String pass) throws SQLException, NoSuchAlgorithmException {
    Connection con = null;
    PreparedStatement stmt= null;
    ResultSet rs = null;
    l = new Logins();
    String passHashed = hashPass(pass);
    String username = login;

    try {

        stmt = con.prepareStatement("SELECT Login, Password from Staff");
        rs = stmt.executeQuery();

        if (rs.next()) {
            if (username.equals(rs.getString("Login"))) {
                if (passHashed.equals(rs.getString("Password"))) {
                    System.out.println("Logged in.");
                } else {
                    System.out.println("Incorrect password - login combination.");
                }
            } else {
                System.out.println("Incorrect log in.");
            }
        }

    } finally {
        if (rs != null) try {rs.close();} catch (SQLException se){}
        if (stmt != null) try {stmt.close();} catch (SQLException se) {}
        if (con != null) try {con.close();} catch (SQLException se) {}
    } 
}

Edit: It all parses correctly and can check the database but I've found the reason it doesn't log in ever is because the MD5 code generated by the method produces a different output to that of the password stored in the database. Here's the database one:

1274d1c52d7a5a9125bd64f1f9a26dce

and the generated:

1030416151603361603636256577523441305746075

The password is LondonWeight

Any ideas?

Answer 1

password is not set to the value of pass pararmeter so password.getBytes() won't work. What about pass.getBytes()

Answer 2

con appears to always be null

You need to obtain a connection object before you can do con.prepareStatement("SELECT Login, Password from Staff");

There may be other problems in your code, but it's hard to tell which problem you are hitting without a stacktrace

Has your Staff table got more than one row in it? Seems like unless the user name that you are loking for isd the first one returned by your SQL statement, then you'll get "Incorrect Log in" . Would n't you be better doing

SELECT Login, Password from Staff where Login = UserName

( that isn't syntactically correct in your context but you get the drift ... )

That way, if don;t get a row, then it's an Incorrect Login, and then you just have to compare the hashed values.