So I have this working code/prepared statement that adds a username and password into a database, however I need to check if the username already exists in the code.
public void addUser(Connection conn, PreparedStatement pstmnt, String username, String password)
{
try
{
pstmnt = conn.prepareStatement("insert into users values (?,?,?)");
pstmnt.setInt(1, 0);
pstmnt.setString(2, username);
pstmnt.setString(3, password);
pstmnt.executeUpdate();
}
catch (SQLException e) { System.out.println("Error: " + e.getMessage()); }
System.out.println(username + " has been added");
}
Is there any simple way to do this?
You can add a unique constraint in the DB and handle the exception in addUSer accordingly
If there's no many duplicate key risk, you can just try and check the error code if it matches "dup key error" (Error ORA-00001).
Else you must lock the entire table, check for key existence, update and then commit (which release the lock)
Related
What I'm trying to do is:
Accept username(uname) and password(passw) as an input from the user.
Using ResultSet, retrieve the only tuple, to which username in the database and username given by user suits. This tuple will contain username and password.
If the password given by user also suits the password in the database, the display the message that both creadentials are correct else one of them is wrong.
Everything works fine except in one case. When the username itself is wrong, the mysql will not find the attribute at all and will give this error: java.sql.SQLException: Illegal operation on empty result set.
The code is:
ok.addActionListener(new ActionListener()
{
public void actionPerformed(ActionEvent ae)
{
String uname=jf1.getText();
String passw=jf2.getText();
String n;
String m;
try
{
Class.forName("com.mysql.jdbc.Driver").newInstance();
Connection conn = DriverManager.getConnection("jdbc:mysql://localhost/authentication?" + "user=root&password=letmein");
PreparedStatement stmt=conn.prepareStatement("Select * from admin where id = ?");
stmt.setString(1,uname);
ResultSet rs=stmt.executeQuery();
rs.next();
n=rs.getString("id");
m=rs.getString("pass");
conn.close();
if(n.equalsIgnoreCase(uname) && m.equalsIgnoreCase(passw))
{
JOptionPane.showMessageDialog(null,"Username and password is correct");
}
else
{
JOptionPane.showMessageDialog(null,"Username or password is not correct");
}
}
catch(Exception ex)
{
System.out.println(ex);
}
}//end of actionperformed
});//end of actionlistener
Is there any way I can do both operations at a time (before closing the connection with database)?. If not, what's the alternative method?
You are supposed to use the result of rs.next() :
if (rs.next()) {
n=rs.getString("id");
m=rs.getString("pass");
}
If rs.next() returns false, this means the query returned no rows.
#Eran mentioned the error by which a wrong id would yield an empty result set on which fields were gotten.
I still have small remarks:
Try-with-resources take care of closing even in case of an exception or returning.
For a local database you can send the password to SQL.
Best to store passwords encrypted, when ever your database should get stolen.
Thus:
boolean loggedIn = false;
try (PreparedStatement stmt =
conn.prepareStatement("SELECT 1 FROM admin WHERE id = ? AND pass = PASSWORD(?)")) {
stmt.setString(1, uname);
stmt.setString(2, passw);
try (ResultSet rs = stmt.executeQuery()) {
loggedIn = rs.next();
} // Closes rs.
} // Closes stmt.
public int addUsers(int USER_ID,String FIRST_NAME,String LAST_NAME,String PASSWORD,String USERNAME,String USER_PERMISSION) throws SQLException {
Connection conn = null;
conn = getConnectivity(conn) ;
getConnectivity(conn);
String sqlSelect = "SELECT * from USER_DETAILS";
PreparedStatement pres = conn.prepareStatement(sqlSelect);
ResultSet rs1 = pres.executeQuery();
if(rs1.next()){
String Username = rs1.getString(5);
System.out.println("username found "+Username);
System.out.println("username input " + USERNAME);
System.out.println("password input " + PASSWORD);
if (Username.equals(USERNAME)){
System.out.println("Username already exists");
conn.close();
}
else{
System.out.println("FOUND ELSE");
String sql = "INSERT INTO USER_DETAILS VALUES (?,?,?,?,?,?)";
PreparedStatement ps = conn.prepareStatement(sql);
ps.setInt(1, USER_ID);
ps.setString(2, FIRST_NAME);
ps.setString(3,LAST_NAME);
ps.setString(4,PASSWORD);
ps.setString(5,USERNAME);
ps.setString(6,USER_PERMISSION);
int result = ps.executeUpdate();
System.out.println(result);
}
}
conn.close();
return USER_ID;
}
and for login I am using
public boolean login(String USERNAME, String PASSWORD) throws SQLException
{
boolean result = false;
Connection conn = null;
conn = getConnectivity(conn) ;
String sqlSelect = "SELECT * from USER_DETAILS";
PreparedStatement pres = conn.prepareStatement(sqlSelect);
ResultSet rs1 = pres.executeQuery();
if(rs1.next()){
String Username = rs1.getString(5);
String Password = rs1.getString(4);
String UserPermission = rs1.getString(6);
System.out.println("username found "+Username);
System.out.println("username input " + USERNAME);
System.out.println("password input " + PASSWORD);
if (Username.equalsIgnoreCase(USERNAME) && Password.equalsIgnoreCase(PASSWORD) && UserPermission.equalsIgnoreCase("blocked")){
System.out.println("User Logged in");
conn.close();
}
System.out.println("gets out of the code");
}
conn.close();
return result;
}
first of all it is allowing to enter more than one entry, so duplicates occurring regardless of my if statement, and when i add fresh new data and try to see I can log in, it still compares with previously added data and does not work. Can someone see what am i doing wrong here. please thanks
below is the system print out i get ,
Connection Valid
username found kamran (don't know why he is still picking up this column)
username input macbook (these i have already in my database)
password input hello (these i have already in my database)
gets out of the code
Connection Valid
Connection Valid
username found kamran (don't know why he is still picking up this column)
username input macho (these i have already in my database)
password input hello (these i have already in my database)
FOUND ELSE (dont know why it adds data when they already exist in database)
1
Your code doesn't make sense: you are querying for all users and only checking the first returned user if it matches. Of course that is going to fail if the first returned user doesn't match: in addUsers you will try to add the user if the first user returned doesn't match, in login a user can only login if it is the first user.
You need to use a WHERE clause to only request the user you want to check:
// Note: this assumes a case insensitive collation
String sqlSelect = "SELECT * from USER_DETAILS WHERE username = ?";
try (PreparedStatement pres = conn.prepareStatement(sqlSelect)) {
pres.setString(1, USERNAME);
try (ResultSet rs1 = pres.executeQuery()) {
if (!rs1.next) {
// user doesn't exist yet, create...
}
}
}
You need to do something similar for login (but then with if (rs1.next()) instead).
There are more problems with your current code: you are storing plaintext passwords: you should really hash them with a strong password hash like PBKDF2. Also please follow the java naming conventions. Variables and parameters are camelcase so not USERNAME but username (or userName), not UserPermission, but userPermission. This improves the readability for people who are used to the java naming conventions.
So I was purposely trying to break my program, and I've succeeded.
I deleted the sqlite database the program uses, while the program was running, after I already created the connection. Then I attempted to update the database as seen below.
Statement stmt;
try
{
stmt = Foo.con.createStatement();
stmt.executeUpdate("INSERT INTO "+table+" VALUES (\'" + itemToAdd + "\')");
}
catch(SQLException e)
{
System.out.println("Error: " + e.toString());
}
The problem is, it didn't catch the exception, and continued to run as if the database was updated successfully. Meanwhile the database didn't even exist at that point since this was after I deleted it.
Doesn't it check if the database still exists when updating?
Do I have to check the database connection manually, every time I update to ensure that the database wasn't corrupted/deleted?
Is this the way it is normally done, or is there a simpler/more robust approach?
Thank you.
Interestingly, I found that if I delete my database when using it and then attempt to update it, it updates the database in its new location (in the trash!). You cannot permanently delete it while it is in the trash can and you are accessing it via your program.
It looks like this is not a SQLException that is thrown...
Try catching every Exception type and see if you get your error :
Statement stmt;
try
{
stmt = Foo.con.createStatement();
stmt.executeUpdate("INSERT INTO "+table+" VALUES (\'" + itemToAdd + "\')");
}
catch(Exception e)
{
System.out.println("Error: " + e.toString());
}
or
Statement stmt;
try
{
stmt = Foo.con.createStatement();
stmt.executeUpdate("INSERT INTO "+table+" VALUES (\'" + itemToAdd + "\')");
}
catch(Throwable e)
{
System.out.println("Error: " + e.toString());
}
I am trying to capture & store user details(name, password etc) & store them in sql database so as to be used by users to login in future.
How do I save the details as a row in the database, yet they are entered as individual strings?
Also, how do I capture &store details like gender(Male,Female) selected from a Combobox? Thanks.
private class achandler implements ActionListener {
#Override
public void actionPerformed(ActionEvent ae) {
//capture user details
String fnamevalue = fnametext.getText();
String lnamevalue = lnametext.getText();
String usernamevalue = usernametext.getText();
char[] pwdvalue = pwdtext.getPassword();
char[] pwdrptvalue = pwdrpttext.getPassword();
if(pwdvalue == pwdrptvalue) {
//add user details to an array
String[] userdetail = {fnamevalue, lnamevalue, usernamevalue, pwdvalue.toString()};
try {
Class.forName("com.mysql.jdbc.Driver");
String Url = "jdbc:mysql://localhost/nsibirwa?" +
"user=root&password=1234";
Connection con = DriverManager.getConnection(Url);
Statement stmt = con.createStatement();
//I am stuck here!!!! i.e. adding 'userdetail' as a tuple in the database
}
catch (SQLException e) {
System.out.println("SQL Exception: "+ e.toString());
}
catch (ClassNotFoundException cE) {
System.out.println("Class Not Found Exception: "+ cE.toString());
}
}
else {
JOptionPane.showMessageDialog(null, "password not matching!",
"Password error", JOptionPane.ERROR_MESSAGE);
}
}
}
adding 'userdetail' as a tuple in the database
Something like:
Connection con = DriverManager.getConnection(Url);
PreparedStatement stmt = con.prepareStatement("insert into user_details (fname, lname, username, pwd) values (?,?,?,?));
stmt.setString(1, fnamevalue);
stmt.setString(2, lnamevalue);
stmt.setString(3, username);
stmt.setString(4, new String (pwdvalue));
stmt.executeUpdate();
Your code has another problem:
if (pwdvalue == pwdrptvalue)
you can not compare objects like that. You need to convert those char[] to Strings and use equals() to compare them. Search for "java string equals" to find out why. This is very basic Java knowledge (and is covered in each and every tutorial I have seen)
This assumes you have a table named user_details with the columns fname, lname, username and pwd. If your table definition is different you need to adjust the insert statement.
Also, how do I capture &store details like gender(Male,Female) selected from a Combobox?
I would suggest you open a second question for that. You should not mix completely different topics (JDBC/SQL vs. plain Swing) in a single question.
I'd like to write to my Oracle DB the user ID and IP address of the logged in user (web app) whenever I perform SQL UPDATEs and INSERTs. Such as
public static int updateUser(STKUser user, STKUser loggedIn) throws DAOException {
Connection connection = null;
connection = DB.getConnFromCache();
PreparedStatement ps = null;
String query = "INSERT INTO xtblPersonnel (pID, pPssWrd, pAdminDate, pAdminIP, pAdminBy) VALUES (?,?,SYSDATE,?,?)";
try {
ps = connection.prepareStatement(query);
ps.setString(1, user.getBadge());
ps.setString(2, user.getPassword());
ps.setString(3, loggedIn.getIpAddress());
ps.setString(4, loggedIn.getBadge());
return ps.executeUpdate();
}
catch (Exception e) {
System.out.println("SQL Exception inserting new user with badge: " + user.getBadge() + ". Error Message: " + e.getMessage());
LOGGER.log(Level.INFO, "SQL Exception inserting new user with badge: " + user.getBadge() + ". Error Message: " + e.getMessage(), user);
throw new DAOException("SQL Exception inserting new user!");
// return 0;
}
finally {
DB.closePreparedStatement(ps);
DB.releaseConnToCache(connection);
}
}
STKuser is a Javabean
My application uses a general Oracle db username and password so that is the reason why I want to record who did the update or insert and from which machine.
Is this an acceptable approach. I used to pass in the session but have realized this is a no no.
Assuming that you're properly closing all DB resources as Connection, Statement and ResultSet in the finally block of the try block where you acquired them and the code is doing what it should do, I don't forsee problems with the approach in question. There is no risk for SQL injections since you're using PreparedStatement, if that was your actual concern. Declaring the method static is however a bit a smell, but then we need to know more about the context the code is running in.