I need the passwords going into my derby database to be hash values they are currently strings. How can I achieve this?
String sql = "insert into MPP_USERS "
+ " (LAST_NAME, FIRST_NAME,EMAIL_ADDRESS,PASSWORD)" + " values (?, ?, ?, ?)";
ps= con.prepareStatement(sql);
ps.setString(1, lastname);
ps.setString(2, firstname);
ps.setString(3, email);
ps.setString(4,password);
System.out.println("Insert complete.");
ps.executeUpdate();
System.out.println("Insert complete.");
Also how do you validate the hash value when the user logs in? here is my validate method.
con = DataConnect.getConnection();
ps = con.prepareStatement("Select EMAIL_ADDRESS,PASSWORD from MPP_USERS where EMAIL_ADDRESS = ? and PASSWORD = ? ");
ps.setString(1, email);
ps.setString(2, password);
ResultSet rs = ps.executeQuery();
if (rs.next()) {
//result found, means valid inputs
return true;
}
Related
The following section of my code is raising concern in "Second-Order SQL Injection".
private String function1 (String var1) {
String sql = "SELECT field1 FROM table1 WHERE field2 = ?";
PreparedStatement ps = null;
ResultSet resultSet = null;
String result = "";
try{
ps = conn.prepareStatement(sql);
ps.setString(1, var1);
resultSet = ps.executeQuery();
if(resultSet.next()){
result = rs.getString("fldDesc");
}
}catch(SQLException e){
e.printStackTrace();
}
}
However, as I know the preparedStatement should be safe against the 2nd Order SQL Injection, due to the separation of query and data.
Can I know why does it would raise a concern against it?
Need to establish database connectivity in drools to get some data as and when required while executing the rules. How do I go about that?
I have tried to establish Cassandra db connection from Drools file, It's working for me.
import com.datastax.driver.core.Cluster
import com.datastax.driver.core.Session
import com.datastax.driver.core.ResultSet;
function String ConnectDBase(String query) {
Session session;
Cluster cluster;
Cluster.Builder builder = Cluster.builder().
withoutJMXReporting().
addContactPoints("127.0.0.1");
cluster = builder.build();
session = cluster.connect("droolstest");
System.out.println("---------Execute Creation query-----------");
session.execute(query);
return "Table Created";
}
rule "DB Connectio
n rule"
when
//Write your code
then
String query = "CREATE TABLE emp(emp_id int PRIMARY KEY, "
+ "emp_name text, "
+ "emp_city text, "
+ "emp_sal varint, "
+ "emp_phone varint );";
System.out.println(ConnectDBase(query));
end
Drools function will look like as:
function String ConnectDB(String ConnectionClass,String url,String user, String password) {
Class.forName(ConnectionClass);
java.sql.Connection con = DriverManager.getConnection(url, user, password);
Statement st = con.createStatement();
ResultSet rs = st.executeQuery("select * from Employee where employee_id=199");
rs.first(); return rs.getString("employee_name");
}
Take a look at sample project https://github.com/abhijithumbe/jbpm6Examples/tree/master/Drools_DBConnection
I'm creating an insurance management system for my DBMS project in university, and I am having a problem with deleting a record from SQL Server. It throws an exception:
SqlException: com.microsoft.sqlserver.jdbc.SQLServerException: The statement did not return a result set.
It also successfully deleted a record from my database. Could anyone please tell me how to remove this kind of exception?
String SQL="delete from INMS_3 where Agent_Id=? and First_Name=? and Last_Name=? and User_Name=? and Phone_no=?";
try {
Class.forName("com.microsoft.sqlserver.jdbc.SQLServerDriver");
String connectionUrl = "jdbc:sqlserver://localhost:1433;" +
"databaseName=INMS;user=TestingUser;password=1234;";
Connection con = DriverManager.getConnection(connectionUrl);
System.out.println("Connected to sql server");
String str=jTextField1.getText();
String str1=jTextField2.getText();
String str2=jTextField3.getText();
String str3=jTextField4.getText();
String str4=jTextField5.getText();
PreparedStatement st = con.prepareStatement(SQL);
st.setString(1, str);
st.setString(2,str1);
st.setString(3,str2);
st.setString(4,str3);
st.setString(5, str4);
ResultSet rs = st.executeQuery();
if(rs.next());
{
JOptionPane.showMessageDialog(null,"Deleted Succesfully");
}
if(!rs.next())
{
JOptionPane.showMessageDialog(null,"Unable to delete");
}
else
{
JOptionPane.showMessageDialog(null,"Unable to delete");
}
} catch (SQLException e) {
System.out.println("SQL Exception: "+ e.toString());
} catch (ClassNotFoundException cE) {
System.out.println("Class Not Found Exception: "+ cE.toString());
}
I think you are using the wrong thing to perform the delete operation.
Try using st.executeUpdate() instead of ResultSet rs = st.executeQuery() - you are executing a delete rather than something that would return a result set.
This is not a problem with SQL Server. The problem is with your code (what is that? C#? The object is set to expect a result set from the server, but the query is a DELETE statement, and those return no rows... ever.
State the programing language, and research for how to execute statement instead requesting result sets.
This line makes sense for a SELECT not for an UPDATE
ResultSet rs = st.executeQuery();
if you're executing a delete statement, why are you executing
ResultSet rs = st.executeQuery();
Here's a sample c# ado.net. concept it the same if you're using java.
using(var conn = new SqlConnection("my connection string"))
{
var deleteCmd = new SqlCommand();
deleteCmd.Connection = conn;
deleteCmd.CommandType = CommandType.Text;
deleteCmd.CommandText = #"
DELETE Accounts
WHERE account_id = #p_account_id
";
deleteCmd.Parameters.AddWithValue("p_account_id", 123);
conn.Open();
deleteCmd.ExecuteNonQuery();
}
PreparedStatement pstmt = conn
.prepareStatement("INSERT INTO discussion(section_id, weekday, room, mandatory, starttime,endtime) VALUES ( ?, ?, ?, ?, ?, ?)");
pstmt.setInt(1, Integer.parseInt(request.getParameter("SECTION_ID")));
pstmt.setString(2, request.getParameter("WEEKDAY"));
pstmt.setString(3, request.getParameter("ROOM"));
pstmt.setString(4, request.getParameter("MANDATORY"));
String TIME_FORMAT = "HH:mm";
SimpleDateFormat timeFormat = new SimpleDateFormat(TIME_FORMAT,
Locale.getDefault());
out.println("Items: " + request.getParameter("starttime"));
out.println("Items: " + request.getParameter("WEEKDAY"));
pstmt.setTime(5,
new Time(timeFormat.parse(request.getParameter("starttime"))
.getTime()));
pstmt.setTime(6,
new Time(timeFormat.parse(request.getParameter("endtime"))
.getTime()));
pstmt.executeUpdate();
I use out.print to test. find out that getparameter works not right. It can give me the weekday data but cannot give me starttime data. The database give starttime time type
I saw this example somewhere:
rs = connection.prepareStatement("select * from table").executeQuery();
Could I use this format, if I want to execute a query like this "Select * from table where column = "hello" "?
The way in which I usual I use prepareStatement object is something like this:
String sql = "select * from adresa where column = ?";
PreparedStatement pre = con.prepareStatement(sql);
pre.setString(1, i);
rs = pre.executeQuery();
Later Edit:
I don't understand. Pascal Thivent wrote that I can use the short version with In parameters, but Liu tells me this is not possible. :) Anw, using Pascal's version, i receive this error: void cannot be dereferenced
Here's a partial example how to use this interface:
static final String USER = "root";
static final String PASS = "newpass";
Connection conn = DriverManager.getConnection(myUrl, USER, PASS);
// create a sql date object so we can use it in our INSERT statement
Calendar calendar = Calendar.getInstance();
java.sql.Date startDate = new java.sql.Date(calendar.getTime().getTime());
// the mysql insert statement
String query = " insert into students (ID, last_name, first_name, birthday, hometown)"
+ " values (?, ?, ?, ?, ?)";
// create the mysql insert preparedstatement
PreparedStatement preparedStmt = conn.prepareStatement(query);
preparedStmt.setInt(1, 808027);
preparedStmt.setString(2, "Davis");
preparedStmt.setString(3, "Felicita");
preparedStmt.setDate(4, startDate);
preparedStmt.setString(5, "Venice");
// execute the preparedstatement
preparedStmt.execute();
conn.close();
You can only use the first form if there are no bind variables (question marks) in the query. It's just a shortened version of what you posted.
Also, if you use the shortened form you won't have the opportunity to reuse the PreparedStatement object.
of course u can use a string variable for the query in which u put in ur dynamic data and run it.
rs = connection.prepareStatement(variable).executeQuery();
The long form is often, but prepared statements can be precompiled by the db, and if used properly will help prevent sql injection.
Connection conn = null;
ResultSet rs = null;
PreparedStatement ps = null;
try {
conn = getConn();
ps = conn.prepareStatement("select * from x where y = ? "); //note no sb.append()'s or +'s, to helps prevent sql injection
ps.setLong(1, 12l);
rs = ps.executeQuery();
while (rs.next()) {
... act ...
}
} catch ( Exception e) {
} finally {
if (rs != null) rs.close();
if (ps != null) ps.close();
if (conn != null) conn.close();
}
Who said java was verbose. :)