This week's book giveaways are in the Jython/Python and Object-Oriented programming forums.
We're giving away four copies each of Machine Learning for Business: Using Amazon SageMaker and Jupyter and Object Design Style Guide and have the authors on-line!
See this thread and this one for details.
Win a copy of Machine Learning for Business: Using Amazon SageMaker and JupyterE this week in the Jython/Python forum
or Object Design Style Guide in the Object-Oriented programming forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Paul Clapham
  • Jeanne Boyarsky
  • Knute Snortum
Sheriffs:
  • Liutauras Vilda
  • Tim Cooke
  • Junilu Lacar
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Joe Ess
  • salvin francis
  • fred rosenberger

Password verification for a GUI Client-Sever-Database Program?

 
Greenhorn
Posts: 4
MySQL Database Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Programming newbie here in need of some assistance.  This is a bit of a rehash of my first question so sorry for any repetition
(This is all using localhost)
I have made a GUI Client program (with Java 8 and NetBeans) that queries a MS-SQL database directly. Whether the query is inserting data into the database or requesting data to fill the applications table.

I have now made a Server program that is able to take a request a to  fill a table  data from the client, query the database on behalf of the client and the send back the data to the client which then parses the data and fill the table.

Now I have made a  login window that queries the database directly . The username and password are stored in the database and the Login windows compares the information received from the  database and compares them to the input in the username and password text fields. If they match, A window locked behind the Login window opens. If the do not match, a warning message pops up. Now want to make a login window that  does not query the database directly but puts the request through the server program.

But so far how I have not found the right way to compare the results to the input of the  username and password text fields.
What I did was try to modify the code that used to fill the table to turn it into a password verification system. I feel that that this not really the right way to go but did not know another way
Please take not that this is all taking place on one computer has I am testing the waters before doing anything with making different machines communicate with each other.
I left the catch side of the try catch statements. out  Just wanted to main body of the problems  present. Sorry in advance.
Also sorry for any wrong naming conventions in advance.

Here is the code the for the client side(An action event)




               
And here is the Server side code



Syntax? Concepts? Advice?
           
 
Ranch Hand
Posts: 118
5
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, I don't know how "fluent" you're already in the Java language - but it looks promissing. May I hint some advice:

Usually when a client communicates with a server they exchange information based on a protocol, either using one of the many existing or created from scratch. Although in the end it may does work if you build the query in the client and let the server execute it that's not the way such is usual done. Where do I start? Maybe like this: Try to think of the client and server both as unique and separate entities not knowing how the other work - like to black boxes in a white "nothing" connected by a string: The client only knows it has to get some data from the user - send it over to the server and get some response - the client usual doesn't know that the server is using a database and hence not build a SQL query itself. So one start might could be to transfer the SQL over from the client to the server and instead of sending the whole query and response only transfer the username and password and send back either a yes or a no - based on if the data the user entered match what's in the database or not. Although a very simple example it shows what's called "separation of concerns" meaning that the client doesn't know anything about the actual verification but only relies on that's the servers part to return a yes or no on providing the users input.

The next step could be instead of using a query where you ask for a result from a username and a password you could just query the database for the username and check the returnt password. This way you not just filter if username + password match - but also if a username even exists in the first place (although for ssecurity reasons that's an information should not be shared with the client). If you expand on this you get three types of results: 1) requests with arbitrary data - most likely an attack - 2) login attemps for an exisiting account but with a wrong password - could also be an attack - 3) successful login.

It's a rough idea about how one could go the next step from where you are currently - as most often: it depends on the goal you want to achieve - often there many different ways to accomplish it.
 
Hugh Van Der Vaal
Greenhorn
Posts: 4
MySQL Database Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks you very much Kristina. I now decided that will handle the query only asking for the passwords that match the username and then comparing them to the inputted password. No more double confirmation. The problems seems to be  MySql exceptions which then leads to EOFExceptions, in other words, My client is not getting any results from server because the server is not getting any results from the database. The database I am using has three columns
and one row. The columns are userId, username, and passwords
Here are the two versions of the query and respective MySQL errors that I get in the error report

I used the old query again because when I googled for solutions to the exception I saw someone saying that the query must go like my old query and I figured that only ignore the username and only compare the password

"SELECT * FROM tablename WHERE username='"+UserNameTextField.getText()+"' AND passwords = '"+PasswordField.getText()+"'";

It still did not help

com.microsoft.sqlserver.jdbc.SQLServerException: The index 4 is out of range.

and here is the one that I am hope to use.

SELECT passwords FROM table WHERE username='"+UserNameTextField.getText()+"'";

No dice

com.microsoft.sqlserver.jdbc.SQLServerException: The index 2 is out of range.

I have run SOUT's one the relevant variables  to see if the put anything out, but so far no luck.
I ran the queries  on MS-SQL directly with the User Name and/or Password and they work their perfectly there so I do not understand why I am getting these exceptions when I use them in my client-server program. I also checked that my libraries that I have the correct drivers.
 
Kristina Hansen
Ranch Hand
Posts: 118
5
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well, I have to ask as it doesn't add up: You said you're using MySQL - but from the Exception it reference MS-SQL - wich, although still a SQL server, differs from MySQL or MariaDB in what commands / keywords it understands/supports.
And about any "error handling": It's good if you post the code and the stacktrace so we can see what you try to do and what goes wrong. A wild guess in the blue is you may have an index offset issue. When you call ResultSet.getString() the index this method needs starts count from 1 instead of 0. So, unlike an array where you call array[0] to get the first element you call getString(1) to get the first one. When your table has 3 columns you can only get indexes from 1 to 3 - but the Exception says you tried to access index 4 - wich just doesn't exists. In the 2nd example you only request the password column - wich will result in a ResultSet with only 1 column - so try to getString(2) will fail as there's no 2nd column. There's also the method ResultSetMetaData.getColumnCount() to tell you how many columns the result got you.
 
Hugh Van Der Vaal
Greenhorn
Posts: 4
MySQL Database Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry about the coloured text and the MySQL/MS-SQL misunderstanding. I did indeed means MS-SQL. I will try avoid such mistakes in the future. Thank you for the advice.
 
Marshal
Posts: 24950
61
Eclipse IDE Firefox Browser MySQL Database
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A couple of comments:

First, you should use a PreparedStatement rather than string concatenation to query the database. Otherwise you open the door to malicious use of SQL injection attacks on your database. Besides, it spares you all the trouble of trying to get your quotes matched up in that expression you had there. That may be the cause of the exceptions you're getting but you didn't post much detail about the actual SQL.

And second, your query should be like "Select 1 from users where userid = ? and password = ?". Then if you get a record back, you know the userid/password combination is valid. Otherwise it isn't. Returning a password from the database to your application and comparing it there is also a security hazard.
 
Marshal
Posts: 67464
257
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Hugh Van Der Vaal wrote: Sorry  . . .

Apologies accepted
 
Kristina Hansen
Ranch Hand
Posts: 118
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Paul Clapham wrote:And second, your query should be like "Select 1 from users where userid = ? and password = ?". Then if you get a record back, you know the userid/password combination is valid. Otherwise it isn't. Returning a password from the database to your application and comparing it there is also a security hazard.


Although obvious only hashes and salts should be stored instead of plain text I can't see how it would be a security issue. The database shouldn't be the instance make the decision if the credentials valid (and it would be a complicated query when you try to construct one with handling the salt (it would need to query the salt, concat with the input, hash it and then compare it) - although maybe possible) - that should be the logic in the server application.
 
Paul Clapham
Marshal
Posts: 24950
61
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's a security issue because a validated password is being transmitted over the network, basically.

But yes, you're right that the server application should be doing the hashing and salting of proposed passwords and comparing the result to what's in the database. It's just that the code posting isn't doing that, it passes the validated password back to the client.
 
Kristina Hansen
Ranch Hand
Posts: 118
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Paul Clapham wrote:It's a security issue because a validated password is being transmitted over the network, basically.

But yes, you're right that the server application should be doing the hashing and salting of proposed passwords and comparing the result to what's in the database. It's just that the code posting isn't doing that, it passes the validated password back to the client.


Don't want to argue - but it seems there's a misunderstanding what I tried to explain: I didn't meant OP should send any data back to the client other and a "yes" or "no" - anything should still happen on the server - but as on big systems database and application server usual different systems I can see you point about sending credentials unnecessary back and forth (although it can be secured by establish a TLS connection between server and database).
 
Ew. You guys are ugly with a capital UG. Here, maybe this tiny ad can help:
Sauce Labs - World's Largest Continuous Testing Cloud for Websites and Mobile Apps
https://coderanch.com/t/722574/Sauce-Labs-World-Largest-Continuous
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!