Reputation: 11
Why there is Postgres exception?
Good afternoon. I try to connect to database from eclipse's java code. I need to make a request and check if username and password that are typed in the form match each other. List of usernames and their passwords is in database named stud_test. I need to run gradle and tomcat in order to check if servlet works or not. And when I do this and open needed page, I see PSQLExceptions. My code sample is below. I can't understand what's the problem.
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException,IOException {
Connection con;
ResultSet rs;
String URL = "jdbc:postgresql://localhost:5432/stud_test";
String username = request.getParameter("useruser");
String passwrd = request.getParameter("pass");
response.setContentType("text/html");
try {
con = DriverManager.getConnection(URL, "postgres", "postgres");
Statement st = con.createStatement();
st.executeQuery ("SELECT password FROM stud WHERE user = " + username);
rs = st.getResultSet();
if (passwrd.equals(rs)){
request.getServletContext().getRequestDispatcher(
"/jsp/hello.jsp").forward(request, response);
}
else {
request.getServletContext().getRequestDispatcher("/jsp/fail.jsp").forward(request, response);
}
rs.close ();
st.close ();
}
catch(Exception e) {
System.out.println("Exception is :" + e);
}
}
Upvotes: 1
Views: 98
Answers (2)
Reputation: 31053
Apart from what Sergiu already mentioned, the following line is not likely to do what you want:
st.executeQuery ("SELECT password FROM stud WHERE user = " + username);
If, for example, the username is, say, "carl", then the following statement would be sent to the database:
SELECT password FROM stud WHERE user = carl
which, if there is no column named "carl", results in a syntax error. The "obvious" (and wrong way!) to fix this would be to use
st.executeQuery ("SELECT password FROM stud WHERE user = '" + username + "'");
This may work (at first), but leaves you vulnerable to SQL injections. The correct way to request the information is to use prepared statements and parameters:
final PreparedStatement stm = connection.prepareStatement(
"SELECT password FROM stud WHERE user = ?");
try {
// For each "hole" ("?" symbol) in the SQL statement, you have to provide a
// value before the query can be executed. The holes are numbered from left to
// right, starting with the left-most one being 1. There are a lot of "setXxx"
// methods in the prepared statement interface, and which one you need to use
// depends on the type of the actual parameter value. In this case, we assign a
// string parameter:
stm.setString(1, username);
final ResultSet rs = stm.executeQuery();
try {
if (rs.next()) {
if (password.equals(rs.getString(1))) {
// Yay. Passwords match. User may log in
}
}
} finally {
rs.close();
}
} finally {
stm.close();
}
Yes, talking to a database via JDBC in Java requires a huge amount of boilerplate code. And no, the "obvious" solution is wrong! wrong! wrong!
Upvotes: 1
Reputation: 2626
I think you should have
if (passwrd.equals(rs.getString(1))){ ... }
assuming the user field is a varchar in the DB.
You can not match a string(passwrd) to a ResultSet instance (rs).
Upvotes: 0
Related Questions
- PostgreSQL connection in Java Servlet to Retrieve Information from the DB. Getting Error
- Java connect with JDBC to Postgres - SQLException
- How can i solve PostgreSQL JDBC org.postgresql.util.PSQLException Error:
- Strange jdbcReam Exception occurs on Tomcat
- java.lang.ClassNotFoundException: org.postgresql.Driver postgresql ubuntu
- Connection error to postgresql via servlets
- Error while running JDBC on postgres
- Problems with JDBC Java
- Connection attempt failed in postgreSQL server
- Java Postgresql Runtime Error