User login by comparing with user details in database

Question

I would like to ensure that when a user enters username & password, authentication is done by checking if input matches some row in the user table. Here is the code so far: It allows only the first user in the database to login. Please suggest how I can set it right. Thanks

private class thehandler implements ActionListener {
    @Override
    public void actionPerformed(ActionEvent ae) {
        String namevalue = usertext.getText();
        String pwdvalue = pwdtext.getText();

        //read values from user table in sql database    
   try {
        Class.forName("com.mysql.jdbc.Driver");
        String conUrl = "jdbc:mysql://localhost/hall?" +
                               "user=root&password=blend";

        Connection con = DriverManager.getConnection(conUrl);
        Statement stmt = con.createStatement();

        ResultSet rs = stmt.executeQuery("SELECT * FROM user");

        while(rs.next()) {

            if(namevalue.equals(rs.getString("userName")) && pwdvalue.equals(rs.getString("password"))) {
            JOptionPane.showMessageDialog(null, "You are logged in", 
                    "Makhall login", JOptionPane.INFORMATION_MESSAGE);
            //move on to homepage if user is valid
            homePage home = new homePage();
            home.setAlwaysOnTop(rootPaneCheckingEnabled);
            }
            else {

            JOptionPane.showMessageDialog(null, "Incorrect username or password",
                    "Error", JOptionPane.ERROR_MESSAGE);
            }
            break;
        }
    }
    catch (SQLException e) {
        System.out.println("SQL Exception: "+ e.toString());
    } 
    catch (ClassNotFoundException cE) {
        System.out.println("Class Not Found Exception: "+ cE.toString());
    }

  }
}

Answer 1

Sorry, I think this is awful code. You have everything mingled together: UI, database connection, querying, etc. Java's an object-oriented language. One of the tenants of good object design is cohesion: have a class do one thing well.

Start by separating your database querying into a data access object. Get it working, test it, and let other clients simply use it. You'll build up your complex solution by letting simpler objects collaborate.

Your immediate problem is that your SELECT needs a WHERE clause: WHERE username = ? .

You only want to check the password for the user at hand.

That question mark is deliberate: use PreparedStatement, not Statement.

Answer 2

You're selecting all the users from the database. Don't ever do this. Instead, select the user which has the given login. If it exists, check the password. If it doesn't exist, then the login itself is incorrect.

Also:

• separate database access code from UI code. Those should be in separate classes.
• don't store plain text password in a database. Salt them, hash them, and to check a password, salt the password, hash it, and compare it to the salted-and-hashed password stored in the database.

Answer 3

I also made the same program. See here:

String m=jt1.getText();
String n= new String(jt2.getPassword());
try{        
           Connection con = DriverManager.getConnection("jdbc:mysql://localhost/darshanproject","root","");
           Statement st = con.createStatement();
           String q="select * from emp where UID='"+m+"'";
           ResultSet rs=st.executeQuery(q);
           rs.next();
           String user, pass;
           user =rs.getString("UID");
           pass =rs.getString("password");
           { if(m.compareTo(user)==0)
                 if(n.compareTo(pass)==0)
                     System.out.println("login Success");
                 else
                     System.out.println("Wrong Password");

           }
       }catch(Exception ex){
           System.out.println(ex);
       }