How to add a password to a prepared statement in java

Question

Can any one help with this issue that I'm having using prepared statements. The problem comes when trying to add the password to the statement which I am taking from a JPasswordField.

String Query = "SELECT * FROM Users WHERE Username = ? AND Password = ?";

PreparedStatement PrepedStatement = Con.prepareStatement(Query);

PrepedStatement.setString(1, Username.getText());
PrepedStatement.setString(2, Password.getPassword());
//It is no having any of this as getPassword() returns a Char[] which isn't a string

So does anyone have any ideas. Cheers.

I **hope** you aren't storing the passwords in plain text in your database. — Elliott Frisch, Sep 29 '14 at 16:39
Well I am atm but I should probably be SALTing them shouldn't I. — Hewiiitt, Sep 29 '14 at 16:41
SALTing the password on input to a one-way cryptographic hash. — Elliott Frisch, Sep 29 '14 at 16:42
You wouldn't have a link to that would you. It would be much appreciated. — Hewiiitt, Sep 29 '14 at 16:42
This SO post has a pretty good reference for what you will need: http://stackoverflow.com/questions/18142745/how-do-i-generate-a-salt-in-java-for-salted-hash — tier1, Sep 29 '14 at 16:44

score 1 · Accepted Answer · answered Sep 29 '14 at 16:41

1

This will likely work, however, I strongly consider noting Elliott Frisch's comment.

String has an overloaded constructor can take a character array as a parameter.

PrepedStatement.setString(2, new String(Password.getPassword()));

answered Sep 29 '14 at 16:41

tier1

6,303
6
44
75

2

Thanks but I am probably just going to do it Elliott Frisch's approach. – Hewiiitt Sep 29 '14 at 16:43
A very dangerous recommendation. – Hovercraft Full Of Eels Sep 29 '14 at 16:49
@HovercraftFullOfEels Why? – tier1 Sep 29 '14 at 16:50
1

Because you're telling to store a non-disguised password String in a database, something you should **never** recommend as the password now becomes easily discoverable. Please see the links in the comments to his original question. – Hovercraft Full Of Eels Sep 29 '14 at 16:51
I understand that. But that's not what I meant by answering this question this way. That's why I asked him to take a look at the comments. I apologize if that is how it came across. – tier1 Sep 29 '14 at 16:53
_Because you're telling to store a non-disguised password String in a database_ - this is other issue, question was in another... – kemenov Sep 29 '14 at 16:59

How to add a password to a prepared statement in java

1 Answers1