How to retrieve sha1 hash values in mysql database for my java code

Question

I created function to authenticate user in java. I use SHA1 to encrypted data and I stored it in MySQL. Then I created parametric query to pass data from MySQL database.But I had an error in that query line. After I changed SHA1 values in database and I remove the SHA1 word in my query. Really it's work without any errors. But I want to get and check SHA1 encrypt data from database. How to pass database SHA1 encrypted data into my query. Please someone help me to solve my problem.

public boolean authenticate(String username, String password){
    Connection newConnection = null;
    ResultSet newRst = null;
    boolean flag = false; //return value which determines whether logged in or not
    String SqlString = "SELECT * FROM user"
            + " WHERE username=? AND password=SHA1(?)"; //Error line when use SHA1()

    String Username = username;
    String Password = password;

    String CheckUsername;
    String CheckPassword;

    List<String> ParametersDefined =
            Arrays.asList(Username, Password);
    List<String> ParametersNames =  Arrays.asList("username", "password");
    List<String> ParameterDataType =
            Arrays.asList("String", "String");

    DatabaseHandling newData = new DatabaseHandling();
    try {

        newConnection = newData.DataConnection();// creating the connection
        newRst = newData.DataReadArg(newConnection, SqlString,
                ParametersDefined, ParametersNames, ParameterDataType);
        //check whether one row or more 

        int RowCount = 0; // to find the row count
        while (newRst.next()) {
            //checking whether we are getting right row
            System.out.println("this is " + newRst.getString(2));

            RowCount++;
        }
        //if the Row count is one then it check    
        if (RowCount == 1) {
            newRst.first();
            CheckUsername = newRst.getString("username");
            CheckPassword = newRst.getString("password");

            if ((username.equals(CheckUsername))
                    && password.equals(CheckPassword)) {
                userRoleId = newRst.getInt("userRoleId");
                System.out.println("role = " + userRoleId);
                flag = true;
            }
        }

    } catch (Exception e) {

        System.out.println("Error" + e.getMessage());
        flag = false;

    }

    return flag;
}

Working line...

String SqlString = "SELECT * FROM user" + " WHERE username=? AND password=?"; //Without SHA1 String. It's working without any errors.

Answer 1

You need to change your approach of fetching user data from database. Instead of “SELECT * FROM user WHERE username=? AND password=? “ Just use “SELECT * FROM user WHERE username=?” .

Fetch user based on user name only. Once user data is available, verify the encrypted password with database value.

This way you can isolate the below validations –

1. The user exists in the system by using unique value of “username”.

2. If user exists, verify password.

Cross verifying user credentials is very important business logic, it has to be in your business layer (your java service) and should not be spread across database.