4

I'm making a an application and I want the application to automatically log in from a text file if the user has already logged in. Currently, in the text file i have "alex|ppp" which matches the database entry. The following method is called first

private void rememberedLogIn(){
    String filename = "UserInfo.txt";
    String info = "";
    String user = "";
    String pass = "";

    try{
        FileInputStream fIn = openFileInput(filename);
        BufferedReader r = new BufferedReader(new InputStreamReader(fIn));
        info = r.readLine();

    }catch(IOException e){
        e.printStackTrace(System.err);
    }

        for(int i =0; i < info.length();i++){
            if(info.charAt(i) == '|' ){
                user = info.substring(0,i);
                pass = info.substring(i+1);
                GlobalVar.loggedIn= true;
                break;
            }
        }
        new InitialStuff().execute(user,pass);
}

I have double checked the values for user and pass and they are "alex" and "ppp" which is expected. Next InitialStuff is called, this is the relevant code:

public class InitialStuff extends AsyncTask<String, Void, Toon>{
    int prog = 0;
    @Override
    protected Toon doInBackground(String... params) {
        android.os.Debug.waitForDebugger();
        Toon toon = null;
        Database db = new Database();
        db.establishConnection();
        if(db.tryLogIn(params[0], params[1])){
            prog = 2;
            publishProgress();
            toon = db.getToonFromDB(params[0]);
            prog = 4;
        }else prog = 3;
        publishProgress();
        return toon;
    }}

The problem occurs once i call the db.tryLogin() which looks like this

public boolean tryLogIn(String toonName, String toonPass){
    try{
        while(!connected) establishConnection();
        String sqlQuery = "SELECT Password FROM Toons WHERE Name LIKE '" + toonName+"';";
        Statement stmt = con.createStatement();
        ResultSet rSet = stmt.executeQuery(sqlQuery);
        if(rSet.next()){
            String dbPass = rSet.getString(1).trim();
            if(dbPass.equals(toonPass)) //PROBLEM OCCURS HERE
                return true;
        }
    }
    catch(Exception e){ }
    return false;
}

I have checked to see that dbPass comes back from the database as "ppp" which matches toonPass yet it will skip over the return true and return false instead.

If it helps, this is the information eclipse gives me about the two

toonPass "ppp" (id=830041185816) count 3
hashCode 0
offset 5
value (id=830041185744)
[0] a
[1] l
[2] e
[3] x
[4] |
[5] p
[6] p
[7] p

dbPass "ppp" (id=830041708816) count 3
hashCode 0
offset 0
value (id=830041709136)
[0] p
[1] p
[2] p

Pleaes note that i have also tried passing in "ppp" to the tryLogin() method without taking it as a substring in case that had something to do with the problem and the outcome is the same.

EDIT: I solved the problem...sorta. I just stopped using the .equals() method and instead am using a for loop that compares the characters in each string to one another

user3293629
  • 119
  • 1
  • 8
  • 6
    Unrelated, but sql injection. – Dave Newton Feb 25 '14 at 22:50
  • This is the first time i've dealt with external databases in my programming and I had to teach it to myself so please excuse my lack of knowledge...what do you mean? – user3293629 Feb 25 '14 at 22:51
  • 3
    One of SQL-injection examples: http://xkcd.com/327/ -> http://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work – Pshemo Feb 25 '14 at 22:54
  • 3
    @user3293629 consider what happens if `toonName` is `"foo' or '1' = '1"` – fge Feb 25 '14 at 22:55
  • @fge i don't understand what you're trying to say :/ – user3293629 Feb 25 '14 at 22:57
  • @user3293629 expand the string by yourself and see what your query becomes... – fge Feb 25 '14 at 22:57
  • Heh. Nice comic Pshemo. A safer approach than embedded SQL is a parameterized stored procedure. – Stan Smith Feb 25 '14 at 23:00
  • 1
    I'm quite amused why you got 0 for `hashCode` of both `toonPass` and `dbPass`, since I got 111216. On unrelated notes, some tips for you: 1) Don't forget to `close()` the `FileInputStream fIn` and `BufferedReader r` after you have done with them. 2) The `for-loop and if-block` for finding the pipe "|" character can be changed to `indexOf("|")`. 3) Don't forget to remove `waitForDebugger()` when it's not used. 4) As already mentioned before, be careful with SQL injection. 5) Don't forget to close the connection to DB too if it's currently not used. – Andrew T. Feb 26 '14 at 02:02

3 Answers3

2

one hint! if you're playing with String class methods eg. .compare() .equals() etc. remember about charset encoding! especially ensure to match with IDE, project files ,resources & db's encoding (when you load/read data as string from external sources)

ceph3us
  • 7,326
  • 3
  • 36
  • 43
1
if(dbPass.equals(toonPass)) //PROBLEM OCCURS HERE

Are you really sure ?

The problem is probably here:

catch(Exception e){ }

Write this instead and inspect your logs:

catch(Exception e){ e.printStackTrace(); }
ben75
  • 29,217
  • 10
  • 88
  • 134
  • I added that in but as i expected it didn't change the result, there is no exception being thrown it simply skips over the if statement directly to the "return false" – user3293629 Feb 25 '14 at 23:05
0

Strangely, it looks like the Eclipse debugging information isn't matching. The char[] that you've printed out for toonPass looks like it reads "alex|ppp" and dbPass looks like "ppp". The offset of 5 for toonPass makes it seem like the strings are equal because it's skipped the first 5 characters ("alex|") and is thus up to "ppp".

I'd suggest rewriting the loop that splits up the "alex|ppp" from the text file. If you just want to split it on the '|' character then info.split("|") will probably do the trick.

ATG
  • 1,679
  • 14
  • 25
  • Also, while it might not necessarily be the issue, I'd strongly recommend you follow the advice of @ben75 and avoid writing `catch(Exception e){ }` – ATG Feb 25 '14 at 23:03
  • i thought that might be the problem too but it isnt ("Pleaes note that i have also tried passing in "ppp" to the tryLogin() method without taking it as a substring in case that had something to do with the problem and the outcome is the same.") even when "ppp" is passed in as a new string it doesnt work. – user3293629 Feb 25 '14 at 23:06
  • I saw that at the end of your question, but it doesn't explain what we're seeing with the offset=5 in the debugging information. Only other thing I can think of is a character encoding issue but with such simple characters it's highly unlikely. – ATG Feb 25 '14 at 23:09
  • would it help if i posted the info of the variables when i pass in "ppp"? – user3293629 Feb 25 '14 at 23:12
  • It can't do any harm to post that information, I suppose. Frankly, though, if passing arguments of `info.split("|")[0]` and `info.split("|")[1]` doesn't work then I'm out of ideas for now! – ATG Feb 25 '14 at 23:16
  • 1
    @ATG when using `substring()` the resulting string share the same array of chars as the original one for speed ([it uses this constructor](http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/6-b14/java/lang/String.java#String.%3Cinit%3E%28int%2Cint%2Cchar[]%29)) but `equals` should work anyway. – Gustek Feb 25 '14 at 23:16
  • The only other thing I can think of is that because `InitialStuff` is an `AsyncTask` it gets a different class loader and this is interfering with the equality of "ppp" loaded from the database compared with "ppp" passed in as an argument. I didn't think this affected Strings, though, to be honest. – ATG Feb 25 '14 at 23:26
  • @ATG so what can I do to fix this? Also, i should mention that when i use the tryLogin() method on strings pulled from a textbox it also works (and the strings are also passed in to an AsyncTask from a different method) – user3293629 Feb 25 '14 at 23:34
  • In that case, I'd suggest having a look at the differences in how the Strings are constructed between this code and the code that uses the text box. I don't know the answer, I'm afraid. It's all trial and error from here. – ATG Feb 25 '14 at 23:48