getting text from password field

Question

Hello I am trying to create a login form in java netbeans IDE. My aim is to create multiple user ID's and their respective passwords. I have given textfields to userID and passwordField for passwords to get the values but the problem is i want to get the text from the password field and i am unable to get it its showing some error i think there is some problem with syntax my research is as follows can there be any solution? Need your help

private void lb_loginMouseClicked(java.awt.event.MouseEvent evt) {                                      
       DBUtil util = new DBUtil();
       String value1=tb_uid.getText();
       String value2=tb_pwd.getPassword();
       String user1="";
       String pass1="";
       try {

            Connection con = util.getConnection();
            PreparedStatement stmt = con.prepareStatement("SELECT * FROM login where username='"+value1+"' && password='"+value2+"'");
            ResultSet res = stmt.executeQuery();
            res = stmt.executeQuery();
            while (res.next()) {
                user1 = res.getString("username");
                pass1 = res.getString("password");
            }
            if (value1.equals(user1) && value2.equals(pass1)) {
            JOptionPane.showMessageDialog(this,"correct");
            }
            else{
            JOptionPane.showMessageDialog(this,"Incorrect login or password","Error",JOptionPane.ERROR_MESSAGE);
            }
            JOptionPane.showMessageDialog(null, "COMMITED SUCCESSFULLY!");
        } catch (Exception ex) {
            JOptionPane.showMessageDialog(null, ex.getMessage());

        }

    }  

Answer 1

Use this code:

String password = String.valueOf(jPasswordField.getPassword());

The JPasswordField is encrypted but if you use String.valueOf it will converted Char to String.

Answer 2

String pwd = new String(jPasswordField1.getPassword());

---

Option 1:

jTextField1.setText(""+pwd);

Option 2:

System.out.println(""+pwd);

Answer 3

value2 is char array so doing String concatenation would result in the String representation of the array rather then the String content itself ending up in the SQL. You could replace

PreparedStatement stmt = con.prepareStatement("SELECT * FROM login where username='"+value1+"' && password='"+value2+"'");

with

PreparedStatement stmt = con.prepareStatement("SELECT * FROM login where username='"+value1+"' AND password='" + new String(value2) + "'");

Similarly

if (value1.equals(user1) && value2.equals(pass1)) {

would need to be

if (value1.equals(user1) && pass1.equals(new String(value2)) {

Better use the PreparedStatement placeholders however, to protect against SQL injection attack:

PreparedStatement stmt = con.prepareStatement("SELECT * FROM login where username=? AND password=?);
stmt.setString(1, value1);
stmt.setString(2, new String(value2));

Note: This is not a secure way do to a password lookup, a hashed comparison would be relatively safer.

Answer 4

From http://docs.oracle.com/javase/1.4.2/docs/api/java/lang/String.html#equals%28java.lang.Object%29 :

equals

public boolean equals(Object anObject)

Compares this string to the specified object. The result is true if and only if the argument is not null and is a String object that represents the same sequence of characters as this object.

Your code:

char[] value2=tb_pwd.getPassword();
...
String pass1="";
...
...&& value2.equals(pass1)...

Seems like you'd want to convert your char array into String then retry the conversion. If you're still getting an error please post it along with relevant input so we can see what is being received.

Answer 5

You want to convert your char[] to a String . When you envoke tb_pwd.getPassword() a char[] (character array) is returned. If you want to compare this password you must convert it to a String, and for this you can use this method:

String final_pass = "";
for(char x : passwordAsChar[]) {
     final_pass += x;
}

As for comparing passwords in databases you should never store them in plain-text, unencrypted. You could store an MD5 string in your database, and the convert your password inputted by the user to a String, and then envoke the following method on it. Then compare the returned String with the one from the database. If they match, the user has entered a correct password.

Example:

char[] pass = tb_pwd.getPassword();
String final_pass = "";
for (char x : pass) {
    final_pass += x;
}

String md5_encrypted_pass_userInput = encrypt(final_pass);
if (md5_encrypted_pass.equals(pass1)) { /* pass1 = the password from the database */
    // Correct password
}

A method to use for encrypting Strings to MD5 is:

public static final String encrypt(String md5) {
    try {
        java.security.MessageDigest md = java.security.MessageDigest.getInstance("MD5");
        byte[] array = md.digest(md5.getBytes());
        StringBuffer sb = new StringBuffer();
        for (int i = 0; i < array.length; ++i) {
          sb.append(Integer.toHexString((array[i] & 0xFF) | 0x100).substring(1,3));
       }
        return sb.toString();
    } catch (java.security.NoSuchAlgorithmException e) {}
    return null;
}