Re: Login Authentication against database...

[David Nguyen]

Title: Message

I think you didn't pay attention to Chris's email earlier. Your sql query is not correct and it throws an exception. You should have use single quote (') instead of double quote (").   david -----Original Message----- From: A mailing list about Java Server Pages specification and reference [mailto:[EMAIL PROTECTED]]On Behalf Of Praveen Potineni Sent: Wednesday, November 14, 2001 11:20 AM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... That's exactly what i did. I got only one record and test if the user exist. Else it goes to login screen. But i still get the same error. Well i figured that i'm getting problem comparing the 2 strings... string coming out of database and the string entered by user. Can u check the code and suggest me on this... Thanks in advance Praveen      String sqlStr = "SELECT * FROM SAMM.UsersLogin WHERE UserLoginId = '"+username+"' AND UserPassword = '"+password+"'";    stmt = myConn.createStatement();    myResultSet = stmt.executeQuery(sqlStr);    if(myResultSet.next() == false)    {     log("resulset is null.");    }    else{     log("resultset is true");       String uid = myResultSet.getString("UserLoginId");     String upin = myResultSet.getString("UserPassword");       if ((username.equalsIgnoreCase(uid)) && (password.equalsIgnoreCase(upin))){       validUser = "true";     }     else{       validUser = "false";     }     log("validUser is : " +validUser);     }    myResultSet.close();    stmt.close();   }   catch(SQLException sqle){    //System.out.println("User Does not exist Exception: +sqle.toString()");    //log("DBObject.validUserExists: Exception: "+sqle.toString());   }   return validUser;  } ----- Original Message ----- From: Joe Cheng To: [EMAIL PROTECTED] Sent: Wednesday, November 14, 2001 1:45 PM Subject: Re: Login Authentication against database... Praveen-   It looks like your query is retrieving the whole set of users and then iterating in Java to see if any of them match the username/password the user entered.  Why would you do that, rather than simply:   SELECT * FROM users WHERE username = '<username entered by user>' AND password = '<password entered by user>';   and see if any rows are returned.  If there are no rows, the username and/or password was wrong.  This way you don't have to deal with so much data, making it potentially much faster and less memory intensive.   -jmc