验证电子邮件地址和密码
[英]Validate email address and password
问题描述
How do I validate a certain email and password while an user logs in? 
如何在用户登录时验证某个电子邮件和密码?
protected void doPost(HttpServletRequest request, HttpServletResponse res) throws IOException, ServletException {
String email=request.getParameter("email");
String pass=request.getParameter("pass");
OutputStream out = res.getOutputStream();
try{
Class.forName("com.mysql.jdbc.Driver");
Connection con = DriverManager.getConnection("jdbc:mysql://localhost:8080/college", "root", "root");
Statement st=con.createStatement();
String strSQL = "SELECT email,password FROM student";
How do I continue after the SELECT statement? SELECT语句后如何继续? I would prefer using the if...else statement to do the validation. 我更喜欢使用if...else语句来进行验证。
5 个解决方案
解决方案1
2 2014-02-27 08:39:53
First close all connection resources properly - use a Java 7 try-with-resources. 首先正确关闭所有连接资源 - 使用Java 7 try-with-resources。
Here is an simple example: 这是一个简单的例子:
final String email = request.getParameter("email");
final String pass = request.getParameter("pass");
try (final Connection con = DriverManager.getConnection("jdbc:mysql://localhost:8080/student", "root", "root");
final PreparedStatement statement = con.prepareStatement("SELECT COUNT(*) AS count FROM student WHERE email=? AND password=?");) {
statement.setString(1, email);
statement.setString(2, pass);
try (final ResultSet resultSet = statement.executeQuery()) {
if (resultSet.next()) {
final int rows = resultSet.getInt("count");
if (rows > 1) {
throw new IllegalStateException("More than one row returned!");
}
boolean validUser = rows == 1;
}
}
}
But really you should hash passwords in the database . 但实际上你应该在数据库中散列密码 。 Use something like jBcrypt . 使用像jBcrypt这样的东西 。 Your code would then look like: 您的代码将如下所示:
final String email = request.getParameter("email");
final String pass = request.getParameter("pass");
try (final Connection con = DriverManager.getConnection("jdbc:mysql://localhost:8080/student", "root", "root");
final PreparedStatement statement = con.prepareStatement("SELECT pass FROM student WHERE email=?");) {
statement.setString(1, email);
statement.setString(2, pass);
try (final ResultSet resultSet = statement.executeQuery()) {
if (resultSet.next()) {
final String hash = resultSet.getString("pass");
final boolean valid = BCrypt.checkpw(pass, hash);
}
}
}
Obviously you need to add error checking if there are no rows returned from the query. 显然,如果查询中没有返回任何行,则需要添加错误检查。 You also need to check that only one row is returned. 您还需要检查是否只返回一行。 But I leave that as an exercise. 但我把它留作练习。
解决方案2
0 2014-02-27 08:34:59
you can use if, if you like. 如果你愿意,可以使用if。 Use the input as your where statement and then check to see if there is a match, error or null, then execute whatever you want it to do. 使用input作为where语句,然后检查是否存在匹配,错误或null,然后执行您希望它执行的任何操作。
解决方案3
0 2014-02-27 08:35:33
You can use email and password in the SQL statement itself. 您可以在SQL语句本身中使用电子邮件和密码。 like: 喜欢:
SELECT email, password from student where email = ? and password = ?
prepare above statement and bind the parameters. 准备上面的语句并绑定参数。
This way validation will be done on the DB and you just need to check the result count (which has to be 1). 这种方式验证将在DB上完成,您只需要检查结果计数(必须为1)。 You should have index on email column to have better SQL performance. 您应该在电子邮件列上具有索引以获得更好的SQL性能。
解决方案4
0 2014-02-27 08:36:51
Do you relay need to fetch all students ? 你转发需要取得所有students吗?
PreparedStatement st = con.prepareStatement("SELECT count(*) FROM student WHERE email=? AND password=?");
st.setString(1, email);
st.setString(2, pass);
ResultSet rs = st.executeQuery();
rs.next();
int count = rs.getInt(1);
if (count == 1) {
// password and email are correct
}
解决方案5
0 2014-02-27 08:37:03
For this answer, I'll assume that by "validate email and password", what you mean is you want to authenticate the user based on their email address and a password. 对于这个答案,我假设通过“验证电子邮件和密码”,您的意思是您希望根据用户的电子邮件地址和密码对用户进行身份验证。 And not that you want to check whether the email address is a real email address. 而不是你想检查电子邮件地址是否是真实的电子邮件地址。
So, the first thing you need to do is encrypt the passwords in your database , using a hash algorithm and a random salt. 因此, 您需要做的第一件事是使用哈希算法和随机盐加密数据库中的密码 。 You record the salt alongside the hashed password. 您将哈希密码记录在盐旁边。
Next thing is, when the user logs in, you look up the salt for that user, and you perform the same hash with the salt. 接下来的事情是,当用户登录时,您查找该用户的salt,并使用salt执行相同的哈希。 Then you compare the result of that with the previously saved password hash, and if they're the same, then the passwords were the same. 然后将其结果与先前保存的密码哈希进行比较,如果它们相同,则密码相同。
It's important that the salt be random and different for every user. 对于每个用户来说,盐是随机的并且不同是很重要的。
Plenty of reading to be found on the above terms on the Internets. 在互联网上的上述术语中可以找到大量的阅读材料。
Once you've done that, you should also apply the very sensible suggestions in other answers to only select the user you want, and handle your resources correctly. 完成后,您还应该在其他答案中应用非常明智的建议,只选择您想要的用户,并正确处理您的资源。
WARNING I am not an expert on security, and neither are you. 警告我不是安全专家,你也不是。 If you're implementing a log-in system for an exercise, fine. 如果您正在为练习实施登录系统,那很好。 If it's for the real world, use something that's been written by someone who knows what they're doing. 如果是现实世界,请使用由知道自己正在做什么的人写的东西。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.