在servlet中访问SQL quiry的问题 [英] problem in accessing SQL quiry in servlet

问题描述

亲爱的，



我从servlet访问数据库时遇到问题，但我没有发现错误，所以请任何帮助。



------ validation.java--

Dears,

I face a problem in accessing DB from servlet but i din't catch the error, so kindly any help.

------validation.java--

package register;
import java.sql.*;

public class validate {
   
 
     public static boolean checkUser(String name,String pass) 
     {
      boolean st =false;
      try{

	 //loading drivers for mysql
         Class.forName("com.mysql.jdbc.Driver");

 	 //creating connection with the database 
         Connection con=DriverManager.getConnection
                        ("jdbc:mysql://localhost:3306/userregister","root","root");
         PreparedStatement ps =con.prepareStatement
                             ("select * from register where userName=? and password=?");
         ps.setString(1, name);
         ps.setString(2, pass);
         ResultSet rs =ps.executeQuery();
        
      }
catch(Exception e)
      {
          e.printStackTrace();
      }
         return st;                 
  }   
}
------------login.java-----------------
package register;
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.sql.*;


public class login extends HttpServlet {
 
    protected void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        response.setContentType("text/html;charset=UTF-8");
        PrintWriter out = response.getWriter();
       // out.println("in login classs");
        
        String name = request.getParameter("username");
        String pass = request.getParameter("password");
        
         
        if(validate.checkUser(name, pass))
        {
            RequestDispatcher rs = request.getRequestDispatcher("welcome");
            rs.forward(request, response);
        }
        else
        {
            
           out.println("Username or Password incorrect");

        }
    }  
}
--------------------------web.xml-------------

<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemalocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
    <context-param>
        <param-name>javax.faces.PROJECT_STAGE</param-name>
        <param-value>Development</param-value>
    </context-param>
    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>/faces/*</url-pattern>
    </servlet-mapping>
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
        <servlet>
        <servlet-name>login</servlet-name>
        <servlet-class>register.login</servlet-class>
    </servlet>
    <servlet>
        <servlet-name>Welcome</servlet-name>
        <servlet-class>register.welcome</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>login</servlet-name>
        <url-pattern>/login</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>Welcome</servlet-name>
        <url-pattern>/welcome</url-pattern>
    </servlet-mapping>
    <welcome-file-list>
        <welcome-file>faces/index.xhtml</welcome-file>
    </welcome-file-list>
</web-app>

推荐答案

nashwa_ahmed写道：

nashwa_ahmed wrote:

验证类永远返回false

the validation class return false forever

这并不奇怪 - 根据您发布的代码，您声明一个名为 st 的变量，将其初始化为 false ，执行查询，然后返回 st 的值。你永远不会更新变量的值，所以方法总是返回 false 。



我怀疑你是缺少 checkUser 方法中的一行：

That's hardly surprising - based on the code you've posted, you declare a variable called st, initialize it to false, execute a query, and then return the value of st. You never update the value of the variable, so the method always returns false.

I suspect you're missing a line from your checkUser method:

ResultSet rs = ps.executeQuery();
st = rs.next();

但是，正如我在评论中提到的那样，以纯文本格式存储密码是一个非常糟糕的主意。您应该使用每条记录的唯一盐来存储密码的盐渍哈希值。要验证密码，您需要这样的东西：

However, as I mentioned in the comments, storing passwords in plain text is a very bad idea. You should be storing a salted hash of the password, using a unique salt per record. To validate the password, you would then need something like this:

PreparedStatement ps = con.prepareStatement("select salt, hashedPassword from register where userName = ?");
ps.setString(1, name);

ResultSet rs = ps.executeQuery();
if (rs.next())
{
    byte[] salt = rs.getBytes(0);
    byte[] hashedPassword = rs.getBytes(1);
    byte[] enteredPassword = HashPassword(pass, salt);
    st = java.util.Arrays.equals(hashedPassword, enteredPassword);
}

其中 HashPassword 与用户注册时用于散列密码的功能相同。

安全盐渍密码哈希 - 如何正确执行 [ ^ ]



您还应该考虑对字节数组使用恒定时间相等测试，以避免时间攻击：

时间攻击课程（或者，不要使用MessageDigest.isEquals）| codahale.com [ ^ ]

where HashPassword is the same function you use to hash the password when the user registers.
Secure Salted Password Hashing - How to do it Properly[^]

You should also consider using a constant-time equality test for the byte arrays, to avoid timing attacks:
A Lesson In Timing Attacks (or, Don’t use MessageDigest.isEquals) | codahale.com[^]

将库（mysql-connector-java-5.1.38-bin.jar）添加到项目中

adding library (mysql-connector-java-5.1.38-bin.jar) to the project

这篇关于在servlet中访问SQL quiry的问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！