-2

Hey I am trying to verify the password matches the one they entered with the email I have been searching for the web for a few hours and everything else I have tried does not work this is what i have so far:

try {
    Class.forName(driver).newInstance();
    Connection conn = (Connection) DriverManager.getConnection
                      (url + dbName, userName, password);
    PreparedStatement checkUserInfo = (PreparedStatement) conn.prepareStatement
                                      ("SELECT password FROM profiles WHERE email = ?");
    checkUserInfo.setString(1, emailT);  //emailT is email pulled from an editText
    //checkUserInfo.setString(2, pass1);
    //Statement state =  (Statement) conn.createStatement();
    //String querychk = "SELECT * FROM profiles WHERE email = '"+emailT+"'";
    //ResultSet rs = state.executeQuery(querychk);
    ResultSet rs = checkUserInfo.executeQuery();
    while (rs.next()){
        String pass = rs.getString(2);
        if (pass.equals(pass1)) {
            return success;
        }
    }
    conn.close();
}
catch (Exception e) {
    e.printStackTrace();
}
Baby
  • 5,062
  • 3
  • 30
  • 52
SketchyTurtle
  • 423
  • 1
  • 5
  • 20
  • 4
    Please, **DO NOT** store passwords as plain text. Ever. – tadman Mar 27 '14 at 02:31
  • Are you getting any value after the DB query? – LorenzoR Mar 27 '14 at 02:32
  • 1
    Why post a commented code? Read this introduction: http://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication/ – Omar Hrynkiewicz Mar 27 '14 at 02:34
  • @tadman Thanks for the warning, I know that I should be using php as well but right now this is just like a proof of principle and not being released to the public. – SketchyTurtle Mar 27 '14 at 02:41
  • @LorenzoR yeah 'rs' gets some data but it throws and exception when it tries 'String pass = rs.getString(2);' I have also tried 'String pass = rs.getString("password");' – SketchyTurtle Mar 27 '14 at 02:42

1 Answers1

0

Simply modify your SQL Query to:

"select * from profiles where email=? and password=?"

And be-aware to validate input fields for preventing from SQL injection

And for getting PreparedStatement object or Connection object, you don't have to externally typecast it, cause it is returning the same object as you assigning to it. Even java doc also provided the below statement for the PreparedStatement

PreparedStatement pstmt = con.prepareStatement(Query);
Ysr Shk
  • 224
  • 5
  • 16
  • this helped but turns out what my problem was, was instead of 'PreparedStatement checkUserInfo = (PreparedStatement) conn.prep....' I needed 'java.sql.PreparedStatement checkUserInfo = conn .prep...' – SketchyTurtle Mar 27 '14 at 02:53
  • 1
    Prepared statements with placeholders should not have SQL injection problems. Validation at that point is a secondary concern. – tadman Mar 27 '14 at 03:02
  • @SketchyTurtle You have to just import that once, and can direct access it. manually specification is required when there is an ambiguity like: List in java.util and List in java.awt – Ysr Shk Mar 27 '14 at 14:28
  • yeah I do not know what was up with it, I had thought I had imported it but I guesss not :p – SketchyTurtle Mar 27 '14 at 16:58