0

I just started studying the connection between Java and SQL Server. I have created multiple accounts in my login_DB database. But only the first record results in a successful login.

My question is how do I make it accept the other accounts? I believe my problem is in the code but I'm weak at fixing logic errors. Here's my code: 

try {
    if(e.getSouce()==loginButton){
        String user = usernameTF.getText().trim();
        String pass = passwordTF.getText().trim();
        String sqlLogin = "select username , 
                                   pssword 
                           from tblLogin 
                           where username = '"+user+"'
                           and pssword = '"+pass+"'";
         rs = st.executeQuery(sqlLogin);
        int count = 0;  
            while(rs.next()){
                count+=1;
            }//while
            if(count==1){
                JOptionPane.showMessageDialog(null, "Login Successful!");
                mainFrame.dispose();
                firstPage page1 = new firstPage();  
            }

tblogin:

create table tblLogin ( username nvarchar(50) NULL, pssword nvarchar(50) NULL )

username    password 
Jerlon      hello 
buenconsejo jerlon 
jujux       jerlon 
jujux       jerlon 
Buenconsejo jerlon 
NULL        NULL
Eric Aya
  • 69,473
  • 35
  • 181
  • 253
Juju
  • 59
  • 1
  • 1
  • 8
  • all the username is unique in the table right? so it will return only one row everytime according to the username typed in the texbox..can u show some sample? – Sachu May 24 '15 at 16:47
  • if you show us data in `tblogin` table it will be easy to answer – Afsun Khammadli May 24 '15 at 16:50
  • 1
    Your code is vulnerable to SQL injection. You should use PreparedStatement. –  May 24 '15 at 16:53
  • 1
    @Sachu Like this ? **username** **password** Jerlon hello buenconsejo jerlon jujux jerlon jujux jerlon Buenconsejo jerlon NULL NULL – Juju May 24 '15 at 16:55
  • 1
    @AfsunKhammadli ' create table tblLogin ( username nvarchar(50) NULL, pssword nvarchar(50) NULL ) 'Am I doing it right? – Juju May 24 '15 at 16:56
  • 1
    @Juju u have multiple user with username jerlon..it is not good in login table..u should make username as unique..will any site allow you to register with a username which is already in use? – Sachu May 24 '15 at 16:56
  • @Sachu actually those 'jerlon' were passwords D:. – Juju May 24 '15 at 16:57
  • Then jujux is repeating username – Sachu May 24 '15 at 16:58
  • @Sachu And also it is only a Java Project with some event handling xD And yes, I haven't created anything exception for a duplicate users :P – Juju May 24 '15 at 16:59
  • @Juju so ur pgm is working fine.. – Sachu May 24 '15 at 17:01
  • Is your SQL Server case sensitive? Check [here](http://stackoverflow.com/questions/1411161/sql-server-check-case-sensitivity). If it is not case sensitive, login with 'buenconsejo' and 'jujux' will fail. –  May 24 '15 at 17:37
  • Can `(count>=1)` solve it? ;). – shA.t May 25 '15 at 15:24

1 Answers1

0

This is very bad design.

First, do not use + to create query. This is a bug allowing sql injection. Use PreparedStatement to create query with parameters from user.

Do not store password in plain text. Use hash (e.g. md5).

Use limit 1 for select statement (or count(*))

Do not use while for ResultSet. Use if statement. 

if(rs.next()) {
}

This is a sql example:

select * from tblLogin 
where username = ? and password = md5(?)
limit 1

edit: It is not a problem (logical problem) to use users with some name (or some password) if use unique key for username and password.

Ahmed Hegazy
  • 12,395
  • 5
  • 41
  • 64
mr mcwolf
  • 2,574
  • 2
  • 14
  • 27
  • I would like to know what does md5(?) and limit 1 means. And also right now, I created a method that would get my sql statement 'public void getQuery(String query){ try{ con = DriverManager.getConnection("jdbc:sqlserver://localhost:1433;databaseName=login_DB;integratedSecurity=true"); st=con.createStatement(); st.executeUpdate(query); }//try catch(Exception ee){ ee.printStackTrace(); }//catch }//getQuery() ' Is that okay? – Juju May 24 '15 at 18:36
  • First, sorry for may bad English :( md5 is a function witch return md5 hash from input. This increases security by reducing the chance passwords to be stolen, because no one can see them (even administrator sql server). The limit statement restricts the result (in this case 1) because only one checking account (it's optimization, as well as the replacement of `while` with `if`). In your code, critical place is building the query is submitted to getQuery. To say that is OK you have to show how we create. – mr mcwolf May 24 '15 at 19:01