如何验证登录名/密码JDBC的正确性
[英]How to verify correctness of login/password JDBC
问题描述
I'm creating very simple ATM machine. 
我正在创建一个非常简单的ATM机。 I have MySQL DB with columns like: loginID, password, money. 我有MySQL DB,其列如:loginID,密码,钱。 I would like to change my method which can verify correctness of login and password at the beginning (and after this do something). 我想更改我的方法,该方法可以在开始时验证登录名和密码的正确性(然后执行某些操作)。 So If login and password are correct, then I want to receive a message "Login successful" or Login unsuccessful". Right now I always have message "Login successful". How can I change it? 因此,如果登录名和密码正确,那么我想收到“登录成功”或“登录失败”消息。现在我总是收到“登录成功”消息。如何更改?
public static void post () throws Exception{
Scanner sc = new Scanner(System.in);
System.out.println ("please enter user id:");
String userId = sc.nextLine();
System.out.println("please enter password:");
String pass = sc.nextLine();
System.out.println("how much you want to put");
int money = sc.nextInt();
try {
Connection con = ConnectionDB.getConnection();
String sql = "UPDATE `BankDB`.`Info` SET `Money`= ? WHERE `ClientID`= ? AND `ClientPass` = ?";
PreparedStatement posted = con.prepareStatement(sql);
posted.setInt(1, money);
posted.setString(2, userId);
posted.setString(3, pass);
posted.executeUpdate();
con.close();
} catch (Exception e) {
e.printStackTrace();
} finally{
System.out.println("Login was succesful");
}
}
2 个解决方案
解决方案1
1 2017-07-20 18:21:29
If my understanding of the question is valid, you need to check that update command really updated something in DB. 如果我对问题的理解是正确的,则需要检查update命令是否确实更新了DB中的某些内容。 In this case you need to get result from posted.executeUpdate() . 在这种情况下,您需要从posted.executeUpdate()获得结果。 If it is greater than zero, update updated record in DB and user name / password were correct. 如果大于零,则更新数据库中的更新记录,并且用户名/密码正确。
解决方案2
0 2017-07-20 18:29:28
UPDATE queries work even if their WHERE clauses choose zero rows. 即使UPDATE查询的WHERE子句选择零行,它们也可以工作。 So your query 所以你的查询
UPDATE `BankDB`.`Info` SET `Money`= ? WHERE `ClientID`= ? AND `ClientPass` = ?
doesn't do anything if either part of the WHERE clause matches nothing. 如果WHERE子句的任何部分都不匹配,则不执行任何操作。 But it still succeeds. 但是它仍然成功。
Generally you want to do something like shown in this outline. 通常,您想要执行此大纲中所示的操作。
-
SELECT id, password FROM Info WHERE ClientId = ? - Check the password for a match with the one provided by your web user. 检查密码是否与您的网络用户提供的密码匹配。 If it doesn't match, reject the transaction. 如果不匹配,则拒绝交易。
-
UPDATE Info SET Money = Money + ? WHERE id = ?giving theidvalue you retrieved in the first step.提供您在第一步中检索到的id值。
DANGER your way of validating the user's password is incredibly dangerous in a world infested with cybercriminals. 危险在充满网络犯罪分子的世界中,验证用户密码的方式非常危险 。 Storing plain-text passwords in a dbms is notorious for being the worst thing you can do about security. 众所周知,将纯文本密码存储在dbms中是您在安全性方面最糟糕的事情。 This is about password hashing in php, but its advice is valid for any language. 这是关于php中的密码哈希处理,但其建议对任何语言均有效。 Please read it. 请阅读。 http://php.net/manual/en/faq.passwords.php Don't reinvent the flat tire in the area of password security. http://php.net/manual/zh-cn/faq.passwords.php不要在密码安全领域重塑轮胎。 Please. 请。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.