When checking in the database, the output is repeating / looping

Question

I only clicked the button once, but the output is 2. I wonder if there is something wrong with my condition in the while loop? Or should I use a different approach?

As you can see in the picture, I entered only one data, but the output, executes the conditions in if and else;

String pass = PF.getText();
        String user = TF.getText();
        Connection con = connect.getConnection();

        Statement st;
        ResultSet rs;

        String query = "SELECT username, password FROM users";

        try{         
            st = con.createStatement();
            rs = st.executeQuery(query);

            while(rs.next()){
                if(user.equals(rs.getString(("username")))){
                    if(pass.equals(rs.getString(("password")))){
                        System.out.println("Logged In!");
                    }else{
                        System.out.println("Error");
                    }
                }else{
                    System.out.println("Not in the database!");
                }
            }
            st.close();

Here is the Sample Output

You are lacking any checks in `SELECT username, password FROM users` It should be something like `SELECT username, password FROM users WHERE username= ? AND password =?` , then bind username and password to the prepared statement. — Adder, Jun 14 '17 at 11:14
Thanks man, I have used the WHERE clause and I'm not that good in database sql, so maybe that's one of the problem I did not notice. -_- — sgxtract, Jun 14 '17 at 11:40
I hope you realize that in a real application, you should not store the password as plaintext, but that instead you should hash it with a suitable password hashing algorithm. — Mark Rotteveel, Jun 14 '17 at 13:08

Ravi · Accepted Answer · 2017-06-14T11:26:28.340

3

As per your table, you have two rows. And, you execute following query, it will return two rows.

 String query = "SELECT username, password FROM users";

You could add username and password in where clause instead.

PreparedStatement stmt = connection.prepareStatement("SELECT username, password FROM users where username =? AND password=?");
stmt.setString(1, userid);
stmt.setString(2, pass);

Better use PreparedStatement to avoid any sql injection.

edited Jun 14 '17 at 11:26

answered Jun 14 '17 at 11:14

Ravi

30,829
42
119
173

Agreed. I gave an example for OP understanding. – Ravi Jun 14 '17 at 11:18
I have corrected now. I hope this will be appropriate answer. ;) – Ravi Jun 14 '17 at 11:24
Don't argue guys, I have tried this approach, and it works for me, so thank you for your help everyone. :) I believe there are other approach for this, but this one I understand easily. – sgxtract Jun 14 '17 at 11:35

Blasanka · Answer 2 · 2017-06-14T11:38:12.207

In below line you are selecting all the rows in users table

String query = "SELECT username, password FROM users";

You need to limit it to specific one that you want using WHERE clause.

Wikipedia about WHERE clause:

WHERE clauses are not mandatory clauses of SQL DML statements, but can be used to limit the number of rows affected by a SQL DML statement or returned by a query. In brief SQL WHERE clause is used to extract only those results from a SQL statement, such as: SELECT, INSERT, UPDATE, or DELETE statement.

Like below:

String query = "SELECT username, password FROM users WHERE username = '"+yourVariable+"' password = '"+yourVariable+"'";

I did this using String concatenation. This will lead to SQL injection. So you can use PreparedStatement as @Ravi mentioned.

Oracle doc. about PreparedStatement:

A SQL statement is precompiled and stored in a PreparedStatement object. This object can then be used to efficiently execute this statement multiple times.

Also this question may help you.

When checking in the database, the output is repeating / looping

2 Answers2