Re: Login Authentication against database...

[Chris Tucker]

Title: Message

If you don't want it to appear as plain text in the database you will have to perform some kind of encryption on it.  The method by which you do this is up to you: do a search on something like text string encryption to find some options.  You should be able to locate some JARs at jars.com that'll offer some pretty sophisticated encryption systems.  Alternatively, some DB's offer crypt functions: check your docs. -----Original Message----- From: A mailing list about Java Server Pages specification and reference [mailto:[EMAIL PROTECTED]]On Behalf Of Miao, Franco CAWS:EX Sent: Wednesday, November 14, 2001 1:21 PM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... Actually that what I have been doing, but in my SQL database end, user password still show up the real password.   Franco Miao Technology Operation Analyst Information Systems Branch Ministry of Community, Aboriginal & Women's Services & Ministry of Agriculture, Food & Fisheries ph: (250) 952-6734  pager: (250) 413-9457 -----Original Message----- From: Syed Rehman [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 14, 2001 1:18 PM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... Hello Miao:   Use the type "password" in your HTML code for the input text box.   <input type="password">     Syed -----Original Message----- From: Miao, Franco CAWS:EX [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 14, 2001 1:24 PM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... I understand the UserPassword field in database sever will show the exact character, is it possible to display **** ?   Franco   Franco-----Original Message----- From: Praveen Potineni [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 14, 2001 11:20 AM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... That's exactly what i did. I got only one record and test if the user exist. Else it goes to login screen. But i still get the same error. Well i figured that i'm getting problem comparing the 2 strings... string coming out of database and the string entered by user. Can u check the code and suggest me on this... Thanks in advance Praveen      String sqlStr = "SELECT * FROM SAMM.UsersLogin WHERE UserLoginId = '"+username+"' AND UserPassword = '"+password+"'";    stmt = myConn.createStatement();    myResultSet = stmt.executeQuery(sqlStr);    if(myResultSet.next() == false)    {     log("resulset is null.");    }    else{     log("resultset is true");       String uid = myResultSet.getString("UserLoginId");     String upin = myResultSet.getString("UserPassword");       if ((username.equalsIgnoreCase(uid)) && (password.equalsIgnoreCase(upin))){       validUser = "true";     }     else{       validUser = "false";     }     log("validUser is : " +validUser);     }    myResultSet.close();    stmt.close();   }   catch(SQLException sqle){    //System.out.println("User Does not exist Exception: +sqle.toString()");    //log("DBObject.validUserExists: Exception: "+sqle.toString());   }   return validUser;  } ----- Original Message ----- From: Joe Cheng To: [EMAIL PROTECTED] Sent: Wednesday, November 14, 2001 1:45 PM Subject: Re: Login Authentication against database... Praveen-   It looks like your query is retrieving the whole set of users and then iterating in Java to see if any of them match the username/password the user entered.  Why would you do that, rather than simply:   SELECT * FROM users WHERE username = '<username entered by user>' AND password = '<password entered by user>';   and see if any rows are returned.  If there are no rows, the username and/or password was wrong.  This way you don't have to deal with so much data, making it potentially much faster and less memory intensive.   -jmc