堆栈内存溢出
  简体   繁体   English

即使数据库中的表为空,执行的SQL查询和结果集仍会返回记录?

[英]Sql query executed and the resultset returns records even though table in database is empty?

 原文  2015-07-31 17:24:41       java/ sql/ jdbc/ spring-security

问题描述

I've created a spring security UserService that checks if the user logged in(from a login page) exists in the database (jdbc) . 我创建了一个Spring Security UserService,它检查(从登录页面登录的)用户是否存在于数据库(jdbc)中。

If the record exists then redirection to the home page ,else redirection to the access denied page. 如果记录存在,则重定向到主页,否则重定向到拒绝访问页面。

I've tested it , it works well , But when I deleted the records from the database and tried to check , i've noticed that it still working like the records still exist in the database : authenticating with deleted username and password works ! 我已经对其进行了测试,但是效果很好,但是当我从数据库中删除记录并尝试进行检查时,我注意到它仍然像数据库中的记录一样工作:使用已删除的用户名和密码进行验证!

Could someone tell me why ? 有人可以告诉我为什么吗?

This is my code : 这是我的代码: 

@Component(value = "userService")
public class UserService implements AuthenticationProvider {
@Inject
@Named(value = "dataSource")
private DataSource dataSource1;
String name;
String password;
int countRow=0;
public Authentication authenticate(Authentication auth) throws AuthenticationException {
    ResultSet resultSet = null;
    PreparedStatement preparedStatement = null;
    Connection connection = null;
    name= auth.getName();
    password=auth.getCredentials().toString();
    final String select= "select username,password from users where username='"+name+"'and password='"+password+"'";

    try {
        connection = dataSource1.getConnection();
        preparedStatement = connection.prepareStatement(select);
        resultSet = preparedStatement.executeQuery();
        if(resultSet.next()){
            countRow++;
            if(countRow!=0){

           return new UsernamePasswordAuthenticationToken(name, null);}
        }
        return null;
        }



    return new UsernamePasswordAuthenticationToken("", "");
}

1 个解决方案

解决方案1
 0 已采纳  2015-07-31 17:33:40

Instead of this code 代替此代码 

   if(resultSet.next()){
      countRow++;
        if(countRow!=0){

       return new UsernamePasswordAuthenticationToken(name, null);}
    }
    return null;

use 采用 

String select= "select username,password from users where username=? and password=?";//to avoid sql injection
preparedStatement = connection.prepareStatement(select);
preparedStatement.setString(1,name);
preparedStatement.setString(2,password);
............

if(resultSet.next())//condition is true, means record exists in database
{
//stuff to redirection to success
}
else
{
//stuff to access denied
}

But I didn't know that springs . 但是我不知道springs Just check this 只要检查一下

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 ResultSet为空,虽然sql查询正常,但是事件 - ResultSet is empty, event though the sql query is ok SQL查询返回数据,但ResultSet为空 - SQL query returns data but ResultSet is empty 简单的JDBC SQL查询返回空的ResultSet - Simple JDBC SQL Query returns an empty ResultSet 即使填充了表,resultSet.next()也会返回false - resultSet.next() returns false, even though table is populated SQL语句在空表上返回结果集 - SQL statement returns a resultset on an empty table JAVA MYSQL准备的语句给出空结果集,即使查询在mysql admin中也有效 - JAVA MYSQL prepared statement giving empty resultset even though query works in mysql admin Java 中 ResultSet 执行的 SQL 查询返回的值与在数据库中执行时的值不同 - SQL query executed by ResultSet in Java is returning different values than when executed in database SQL Server-查询返回数据,但使用相同查询的ResultSet返回空 - SQL Server - a query returns data but ResultSet using same query returns empty 当查询返回非空结果集时,我们如何观察 sql 查询 - How do we observe on a sql query when the query returns a non empty resultSet 通过java.sql.PreparedStatement.setBytes在BINARY比较上的空结果集 - Empty resultset on BINARY comparison though java.sql.PreparedStatement.setBytes
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM