1

I've created this change password interface, but for some reason it doesn't seem to be updating the password in the database, which means something is wrong with my code. Could someone please take a look, thanks! The problem is not comparing strings, as I have corrected that and it is still not working, so can I please have this question reopened, thanks :)

ChangePassword.html

<!DOCTYPE html> 
<html> 
<head> 
<meta charset = "UTF-8"> 
<title>Change Password</title>
</head>

<body>
    <form action ="NewPassword" method = post> 
    <h1>Change Password</h1>
    <b>Enter Old Password:</b>
    <br>
    <input type = "password" name = "oldpassword" size = "20"> 
    <br>
    <br>
    <b>Enter New Password:</b>
    <br>
    <input type = "password" name = "newpassword" size = "20"> 
    <br>
    <br>
    <b>Confirm New Password</b>
    <br>
    <input type = "password" name = "confirmpassword" size = "20"> 
    <br> 
    <br>
    <input type = "submit" value = "Update Password">
    <br>
    <br>
    </form>.
</body>

</html>

NewPassword.java

import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.sql.*;

public class NewPassword extends HttpServlet { 
    protected void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {

                response.setContentType("text/html;charset=UTF-8");
                PrintWriter out = response.getWriter();

                String oldpassword = request.getParameter("oldpassword"); 
                String newpassword = request.getParameter("newpassword"); 
                String confirmpassword = request.getParameter("confirmpassword"); 

                HttpSession session = request.getSession(false);
                String employeeid = ""; 

                if(session != null) { 
                    employeeid = (String)session.getAttribute("employeeid"); 
                }

                boolean st = false; 
                try { 
                    Class.forName("com.mysql.jdbc.Driver").newInstance(); 
                    Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/payroll_system", "root", ""); 
                    PreparedStatement ps = con.prepareStatement("SELECT pwd FROM payroll_system.employee_login WHERE employeeID = ?");
                    ps.setString(1, employeeid);
                    ResultSet rs = ps.executeQuery(); 
                    st = rs.next(); 
                    if(st) { 

                        String currentpassword = rs.getString("pwd"); 
                        if((currentpassword.equals(oldpassword)) && newpassword.equals(confirmpassword)) { 
                            PreparedStatement pd = con.prepareStatement("UPDATE payroll_system.employee_login SET pwd = ? where employeeID = ?" ); 
                            pd.setString(1, newpassword);
                            pd.setString(2, employeeid);
                            ResultSet rd = pd.executeQuery(); 
                            st = rd.next(); 
                            if(st) { 
                                out.println("successfully updated password");
                            }
                        }


                    }
                }catch(Exception e)
                 {
                     e.printStackTrace();
                 }
               out.close();
       }
   }
Programmer
  • 1,266
  • 5
  • 23
  • 44
  • @StefanBeike Oh, maybe that's why haha. Sorry, I've only been using select statements so far. – Programmer Jan 06 '16 at 10:03
  • @StefanBeike Could you please guide me? where to put the commit and how – Programmer Jan 06 '16 at 10:04
  • 1
    voted to reopen because of the main problem was executing the query. compare strings was just a part of the problem. – nano_nano Jan 06 '16 at 11:33
  • 1
    As an aside, you probably shouldn't be storing those passwords in plain text in the database. Use a one-way hash like SHA-256 instead. – daiscog Jan 06 '16 at 11:44
  • @daiscog How exactly would I implement this in mysql? And how do you know I'm storing it as plain text? – Programmer Jan 06 '16 at 11:58
  • @Programmer I can see it's being stored as plain text because your code compares the passwords without hashing and just inserts the passwords straight into the database. Unless you've deliberately missed out the hashing part of your code in your post for brevity, then you're storing them in plain text. For info and an example of hashing see [here](https://www.owasp.org/index.php/Hashing_Java#Complete_Java_Sample), [here](https://crackstation.net/hashing-security.htm#javasourcecode) and [here](http://stackoverflow.com/questions/2860943/how-can-i-hash-a-password-in-java) – daiscog Jan 07 '16 at 10:12

1 Answers1

1

thats wrong:

if(passmatch == oldpassword && newpassword == confirmpassword) {

use equals to compare Strings:

if(passmatch.equals(oldpassword) && newpassword.equals(confirmpassword)) {

with == you compare the object references and not the values.

Furthermore change ResultSet rd = pd.executeQuery(); to int updated = pd.executeUpdate(); and change the if to if (updated>0)

nano_nano
  • 12,351
  • 8
  • 55
  • 83