Home/ Questions/Q 7712751
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T01:42:37+00:00

Hi I’m trying to write a piece of code for a simple verification method

  • 0

Hi I’m trying to write a piece of code for a simple verification method as part of a MVC.

At present the SQL is not written as a prepared statement so obviously it is at risk to a SQL injection so any help in regards to writing the SQL as a prepared statement would be really helpful.

The method which is in the User model.

public boolean getInfo() {

    try {
        DBAccess dbAccess = new DBAccess();

        String sql = "SELECT username, password FROM owner WHERE username = '" + this.username
                + "'AND password = '" + this.password + "';";

        dbAccess.close();dbAccess.executeQuery(sql);
        dbAccess.close();


        return true;
    } catch (Exception e) {
        return false;
    }
}

I want to get the size of the result set which is generated by the SQL query and if the size of it is 1 return true else it’s false.

If you need more info on the rest of the MVC just post and I’ll get it up here.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Just return the result of ResultSet#next(), assuming that there’s an UNIQUE constraint on the username. It returns false if there is no next record.

    Here’s a concrete kickoff example, slightly rewritten to fix potential SQL injection attack hole, resource leaking and threadsafety problems as shown so far in your code. Also, the altered SQL query should force you to MD5-hash the passwords before saving in DB (you don’t want to store passwords plaintext in DB).

    public boolean exist(String username, String password) throws SQLException {
    Connection connection = null;
    PreparedStatement statement = null;
    ResultSet resultSet = null;
    boolean exist = false;

    try {
        connection = database.getConnection();
        statement = connection.prepareStatement("SELECT id FROM owner WHERE username = ? AND password = MD5(?)");
        statement.setString(1, username);
        statement.setString(2, password);
        resultSet = statement.executeQuery();
        exist = resultSet.next();
    } finally {
        if (resultSet != null) try { resultSet.close(); } catch (SQLException ignore) {}
        if (statement != null) try { statement.close(); } catch (SQLException ignore) {}
        if (connection != null) try { connection.close(); } catch (SQLException ignore) {}
    }

    return exist;
}
    • 0