Validating a user based on result.next()
I have a user id in my database and I want to validate that user id from another program. So is it good enough to validate that user id based on my
resultSet.next() with an appropriate query
for example
publicboolean validateUser(String userLogon){
-
PreaparedStatement ps = prepareStatement("SELECT userId from myTable where UserLogon = '" + userLogon +"'");
ResultSet rs = ps.executeQuery();
return rs.next();//return true if userId is valid and false otherwise
}
This kind of a validation is robust enough, any comments?
i am expecting only one user id for a usrLogon.
# 3
I agree i have to catch all exceptions i know that, it is only a code snippet. Here I will get a valid userId if userLogon i am passing is correct, if not i won't get a user id. The question in if userLogon is invalid rs.next() will return false or not? and this typical validation got any flaws?
# 4
He didn't mean that :)
Read something more about PreparedStatements.
Here is a JDBC tutorial http://java.sun.com/docs/books/tutorial/jdbc/
PreparedStatements are covered here: http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html
Also read some more about SQL injections.
# 5
1. your query are welcoming sql injection. when userlogon = "some' or or 'thing' = 'thing" then your complete query become:
select from where somecolumn = 'some' or 'thing' = 'thing'
... oops... it's will return true. i can login even i don't have valid user name.
2. when using rs.next() to determinate validity of user, your application may become cAsE iNsEnSiTiVe if your database server is not case sensitive.
# 7
But how to prevent SQL injection?
If i use
PreaparedStatement ps = prepareStatement("SELECT userId from myTable where UserLogon = ?'");
ps.setString(1, userLogon);
will avoid SQL injection? Pls let me know.
Message was edited by:
sunish_jose
