Insert password via Java application to MySQL

Question

I try to insert information from a Java application to a database in mySQL. It only works if I remove the password part. It gives me a warning when I put in the values that say (regarding the passwordField.getPassword()): "Must explicitly convert the char[] to a String" <- What does this mean?

See code below

JButton btnSkapaInlogg = new JButton("Skapa inlogg");
btnSkapaInlogg.addActionListener(new ActionListener() {
    public void actionPerformed(ActionEvent e) {
        try{
            theQuery("insert into kund " +
                "(user_name, password, first_name, last_name, mobil, email, adress, ort) " + 
                "values('"+textField.getText()+"','"+passwordField.getPassword()+"',
                '"+textField_3.getText()+"','"+textField_4.getText()+"','"+textField_5.getText()+"',
                '"+textField_6.getText()+"','"+textField_7.getText()+"','"+textField_8.getText()+"',
                '"+textField_9.getText()+"')");
        }
          catch(Exception ex){}
        }
});

The error message tell you whats wrong. Post a [mcve] to get help sooner — Reimeus, Aug 18 '16 at 18:20
**WARNING**: This is full of [SQL injection bugs](http://bobby-tables.com/). You **must** [properly escape all values](http://bobby-tables.com/java.html). If possible, use prepared statements with placeholder values. — tadman, Aug 18 '16 at 19:20

score 1 · Answer 1 · edited May 23 '17 at 12:17

Must explicitly convert the char[] to a String

What does this mean?

It means that passwordField.getPassword() returns an array of char while a String is expected.

The easiest way to convert an array of char to a String is new String(char[]) but it is not how you are supposed to store a password in your database anyway, you are supposed to hash it first (ideally with salt) otherwise it will be a clear String in your database which is a security hole.

For more info about how to hash a password, you can refer to this question.

The second mistake is the fact that your query is not correct, you provide 9 values while you define only 8 fields, so you need to add the missing field to fix your query first.

Nicolas is correct. In a production environment, the password itself should be encrypted then stored in the database. That way, if anyone should get hold of the database records, they won't be able to discern the meaning of the passwords, also as the encrypted form of the password is transmitted over the internet, it will not be readable. — Alan, Aug 18 '16 at 18:37

score -1 · Answer 2 · answered Aug 18 '16 at 18:23

-1

You have 8 columns but your data is 9 columns

(user_name, password, first_name, last_name, mobil, email, adress, ort)

values('"+textField.getText()+"','"+passwordField.getPassword()+"','"+textField_3.getText()+"','"+textField_4.getText()+"','"+textField_5.getText()+"','"+textField_6.getText()+"','"+textField_7.getText()+"','"+textField_8.getText()+"','"+textField_9.getText()+"')")

answered Aug 18 '16 at 18:23

CSK

352
1
6

Danger, Will Robinson. While technically correct, the answer is prone to SQL injection, doesn't mention the dangers of saving plain passwords in a database. – Aaron Digulla May 10 '17 at 08:26

nicole ino · Answer 3 · 2017-08-26T06:31:41.510

You are trying to use char array as a string,

passwordField.getPassword()

Returns char array not a string. So before you concatenate it with a string you have to convert it to a string.

Here is a code to build string from a char array.

String pw=new String(passwordField.getPassword())

Use pw variable in your query instead of directly calling passwordField.getPassword()

Here is updated code

String pw=new String(passwordField.getPassword());
JButton btnSkapaInlogg = new JButton("Skapa inlogg");
btnSkapaInlogg.addActionListener(new ActionListener() {
public void actionPerformed(ActionEvent e) {
    try{
        theQuery("insert into kund " +
            "(user_name, password, first_name, last_name, mobil, email, adress, ort) " + 
            "values('"+textField.getText()+"','"+pw+"',
            '"+textField_3.getText()+"','"+textField_4.getText()+"','"+textField_5.getText()+"',
            '"+textField_6.getText()+"','"+textField_7.getText()+"','"+textField_8.getText()+"',
            '"+textField_9.getText()+"')");
    }
      catch(Exception ex){}
    }
});

Update : You have to encrypt the passwords before storing in in the DB, it is not a good idea to store it as a plain text

Danger, Will Robinson. While technically correct, the answer is prone to SQL injection, doesn't mention the dangers of saving plain passwords in a database. — Aaron Digulla, May 10 '17 at 08:26

Insert password via Java application to MySQL

3 Answers3