Why there is Postgres exception?

Question

Good afternoon. I try to connect to database from eclipse's java code. I need to make a request and check if username and password that are typed in the form match each other. List of usernames and their passwords is in database named stud_test. I need to run gradle and tomcat in order to check if servlet works or not. And when I do this and open needed page, I see PSQLExceptions. My code sample is below. I can't understand what's the problem.

public void doPost(HttpServletRequest request, HttpServletResponse response)
                    throws ServletException,IOException {

    Connection con;
    ResultSet rs;

    String URL = "jdbc:postgresql://localhost:5432/stud_test";
    String username = request.getParameter("useruser");
    String passwrd = request.getParameter("pass");
    response.setContentType("text/html");

    try {
        con = DriverManager.getConnection(URL, "postgres", "postgres");
        Statement st = con.createStatement();
        st.executeQuery ("SELECT password FROM stud WHERE user = " + username);
        rs = st.getResultSet();

        if (passwrd.equals(rs)){
            request.getServletContext().getRequestDispatcher(
            "/jsp/hello.jsp").forward(request, response);
        }
        else {
            request.getServletContext().getRequestDispatcher("/jsp/fail.jsp").forward(request, response);
        }

        rs.close ();
        st.close ();
    } 

    catch(Exception e) {
        System.out.println("Exception is :" + e);
    }   
}

Answer 1

Apart from what Sergiu already mentioned, the following line is not likely to do what you want:

st.executeQuery ("SELECT password FROM stud WHERE user = " + username);

If, for example, the username is, say, "carl", then the following statement would be sent to the database:

SELECT password FROM stud WHERE user = carl

which, if there is no column named "carl", results in a syntax error. The "obvious" (and wrong way!) to fix this would be to use

st.executeQuery ("SELECT password FROM stud WHERE user = '" + username + "'");

This may work (at first), but leaves you vulnerable to SQL injections. The correct way to request the information is to use prepared statements and parameters:

final PreparedStatement stm = connection.prepareStatement(
        "SELECT password FROM stud WHERE user = ?");

try {

    // For each "hole" ("?" symbol) in the SQL statement, you have to provide a
    // value before the query can be executed. The holes are numbered from left to
    // right, starting with the left-most one being 1. There are a lot of "setXxx"
    // methods in the prepared statement interface, and which one you need to use
    // depends on the type of the actual parameter value. In this case, we assign a
    // string parameter:

    stm.setString(1, username);

    final ResultSet rs = stm.executeQuery();

    try {

        if (rs.next()) {

            if (password.equals(rs.getString(1))) {

                 // Yay. Passwords match. User may log in

            }
        }

    } finally {

         rs.close();
    }

} finally {

    stm.close();
}

Yes, talking to a database via JDBC in Java requires a huge amount of boilerplate code. And no, the "obvious" solution is wrong! wrong! wrong!

Answer 2

I think you should have

if (passwrd.equals(rs.getString(1))){ ... }

assuming the user field is a varchar in the DB.

You can not match a string(passwrd) to a ResultSet instance (rs).