在servlet中访问SQL quiry的问题 [英] problem in accessing SQL quiry in servlet
问题描述
亲爱的,
我从servlet访问数据库时遇到问题,但我没有发现错误,所以请任何帮助。
------ validation.java--
Dears,
I face a problem in accessing DB from servlet but i din't catch the error, so kindly any help.
------validation.java--
package register;
import java.sql.*;
public class validate {
public static boolean checkUser(String name,String pass)
{
boolean st =false;
try{
//loading drivers for mysql
Class.forName("com.mysql.jdbc.Driver");
//creating connection with the database
Connection con=DriverManager.getConnection
("jdbc:mysql://localhost:3306/userregister","root","root");
PreparedStatement ps =con.prepareStatement
("select * from register where userName=? and password=?");
ps.setString(1, name);
ps.setString(2, pass);
ResultSet rs =ps.executeQuery();
}
catch(Exception e)
{
e.printStackTrace();
}
return st;
}
}
------------login.java-----------------
package register;
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.sql.*;
public class login extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
// out.println("in login classs");
String name = request.getParameter("username");
String pass = request.getParameter("password");
if(validate.checkUser(name, pass))
{
RequestDispatcher rs = request.getRequestDispatcher("welcome");
rs.forward(request, response);
}
else
{
out.println("Username or Password incorrect");
}
}
}
--------------------------web.xml-------------
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemalocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<servlet>
<servlet-name>login</servlet-name>
<servlet-class>register.login</servlet-class>
</servlet>
<servlet>
<servlet-name>Welcome</servlet-name>
<servlet-class>register.welcome</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>login</servlet-name>
<url-pattern>/login</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Welcome</servlet-name>
<url-pattern>/welcome</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>faces/index.xhtml</welcome-file>
</welcome-file-list>
</web-app>
推荐答案
验证类永远返回false
the validation class return false forever
这并不奇怪 - 根据您发布的代码,您声明一个名为 st
的变量,将其初始化为 false
,执行查询,然后返回 st
的值。你永远不会更新变量的值,所以方法总是返回 false
。
我怀疑你是缺少 checkUser
方法中的一行:
That's hardly surprising - based on the code you've posted, you declare a variable called st
, initialize it to false
, execute a query, and then return the value of st
. You never update the value of the variable, so the method always returns false
.
I suspect you're missing a line from your checkUser
method:
ResultSet rs = ps.executeQuery();
st = rs.next();
但是,正如我在评论中提到的那样,以纯文本格式存储密码是一个非常糟糕的主意。您应该使用每条记录的唯一盐来存储密码的盐渍哈希值。要验证密码,您需要这样的东西:
However, as I mentioned in the comments, storing passwords in plain text is a very bad idea. You should be storing a salted hash of the password, using a unique salt per record. To validate the password, you would then need something like this:
PreparedStatement ps = con.prepareStatement("select salt, hashedPassword from register where userName = ?");
ps.setString(1, name);
ResultSet rs = ps.executeQuery();
if (rs.next())
{
byte[] salt = rs.getBytes(0);
byte[] hashedPassword = rs.getBytes(1);
byte[] enteredPassword = HashPassword(pass, salt);
st = java.util.Arrays.equals(hashedPassword, enteredPassword);
}
其中 HashPassword
与用户注册时用于散列密码的功能相同。
安全盐渍密码哈希 - 如何正确执行 [ ^ ]
您还应该考虑对字节数组使用恒定时间相等测试,以避免时间攻击:
时间攻击课程(或者,不要使用MessageDigest.isEquals)| codahale.com [ ^ ]
where HashPassword
is the same function you use to hash the password when the user registers.
Secure Salted Password Hashing - How to do it Properly[^]
You should also consider using a constant-time equality test for the byte arrays, to avoid timing attacks:
A Lesson In Timing Attacks (or, Don’t use MessageDigest.isEquals) | codahale.com[^]
将库(mysql-connector-java-5.1.38-bin.jar)添加到项目中
adding library (mysql-connector-java-5.1.38-bin.jar) to the project
这篇关于在servlet中访问SQL quiry的问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!