1

Good afternoon. I try to connect to database from eclipse's java code. I need to make a request and check if username and password that are typed in the form match each other. List of usernames and their passwords is in database named stud_test. I need to run gradle and tomcat in order to check if servlet works or not. And when I do this and open needed page, I see PSQLExceptions. My code sample is below. I can't understand what's the problem.

public void doPost(HttpServletRequest request, HttpServletResponse response)
                    throws ServletException,IOException {

    Connection con;
    ResultSet rs;

    String URL = "jdbc:postgresql://localhost:5432/stud_test";
    String username = request.getParameter("useruser");
    String passwrd = request.getParameter("pass");
    response.setContentType("text/html");

    try {
        con = DriverManager.getConnection(URL, "postgres", "postgres");
        Statement st = con.createStatement();
        st.executeQuery ("SELECT password FROM stud WHERE user = " + username);
        rs = st.getResultSet();

        if (passwrd.equals(rs)){
            request.getServletContext().getRequestDispatcher(
            "/jsp/hello.jsp").forward(request, response);
        }
        else {
            request.getServletContext().getRequestDispatcher("/jsp/fail.jsp").forward(request, response);
        }

        rs.close ();
        st.close ();
    } 

    catch(Exception e) {
        System.out.println("Exception is :" + e);
    }   
}
Improve this question
2
  • 3
    What exception do you get ?Please post error stack trace. Commented Oct 23, 2013 at 10:20
  • 2
    Exceptions are very handy. It will tell you which line in your code it occured on, and often provide helpful insight in why the exception occured. So, in your catch handler do e.printStackTrace() , study the output, and if we can see it too, we might be able to help. Commented Oct 23, 2013 at 10:22

2 Answers 2

Reset to default
1

Apart from what Sergiu already mentioned, the following line is not likely to do what you want:

st.executeQuery ("SELECT password FROM stud WHERE user = " + username);

If, for example, the username is, say, "carl", then the following statement would be sent to the database:

SELECT password FROM stud WHERE user = carl

which, if there is no column named "carl", results in a syntax error. The "obvious" (and wrong way!) to fix this would be to use

st.executeQuery ("SELECT password FROM stud WHERE user = '" + username + "'");

This may work (at first), but leaves you vulnerable to SQL injections. The correct way to request the information is to use prepared statements and parameters:

final PreparedStatement stm = connection.prepareStatement(
        "SELECT password FROM stud WHERE user = ?");

try {

    // For each "hole" ("?" symbol) in the SQL statement, you have to provide a
    // value before the query can be executed. The holes are numbered from left to
    // right, starting with the left-most one being 1. There are a lot of "setXxx"
    // methods in the prepared statement interface, and which one you need to use
    // depends on the type of the actual parameter value. In this case, we assign a
    // string parameter:

    stm.setString(1, username);

    final ResultSet rs = stm.executeQuery();

    try {

        if (rs.next()) {

            if (password.equals(rs.getString(1))) {

                 // Yay. Passwords match. User may log in

            }
        }

    } finally {

         rs.close();
    }

} finally {

    stm.close();
}

Yes, talking to a database via JDBC in Java requires a huge amount of boilerplate code. And no, the "obvious" solution is wrong! wrong! wrong!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I think you should have 

if (passwrd.equals(rs.getString(1))){ ... }

assuming the user field is a varchar in the DB.

You can not match a string(passwrd) to a ResultSet instance (rs).

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.