This data here is secure from SQL injection. private boolean validate_login(Stri

Question

This data here is secure from SQL injection.

private boolean validate_login(String username,String password)

{ try

{ Class.forName("com.mysql.jdbc.Driver");

Connection conn = (Connection) DriverManager.getConnection("jdbc:mysql://localhost:3306/login?" + "user=root&password=");

PreparedStatement pst = (PreparedStatement) conn.prepareStatement("Select * from login where username=? and password=?");

pst.setString(1, username);

pst.setString(2, password);

ResultSet rs = pst.executeQuery();

if(rs.next()) return true; else return false;

} catch(Exception e)

{ e.printStackTrace();

return false;
}

Can you provide a code that access the SQL but not secured?

Explanation / Answer

private boolean validate_login(String username,String password)
{
   try
   {
       Class.forName("com.mysql.jdbc.Driver");
       Connection conn = (Connection) DriverManager.getConnection("jdbc:mysql://localhost:3306/login?" + "user=root&password=");
       PreparedStatement pst = (PreparedStatement) conn.prepareStatement("Select passwoed from login where username=?");
       pst.setString(1, username);
       ResultSet rs = pst.executeQuery();
       if(rs.next()) {
           if (rs.getNString("password").matches("^" + password + "$")
               return true;
       }
       return false;
   }
   catch(Exception e)
   {
       e.printStackTrace();
       return false;
   }
}

This code is prone to SQL injection (trick with regular expression in password field). But the input params should change a little.

Need a differnet code? Please comment if so

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.