0

i'm try to made a simple log in sistem with java and mysql, the configuration of the db is made up, but i have an error in the SQL sintax:

System.out.println("SISTEM LOGIN");
    System.out.println("INSERIRE NOMEUTENTE");
    Scanner scan= new Scanner(System.in);
    String user= scan.nextLine();
    System.out.println("INSERIRE PASSWORD");
    String pass= scan.nextLine();

    try {
        boolean log = true;
        while(log) {
        //conn db
        Connection c = DriverManager.getConnection(url,usr,pswd);
        //creaz statement
        Statement ss = c.createStatement();
        //creaz codice sql
        String sql = " SELECT * FROM users WHERE user'" + user + "' && password='" + pass+ "' ";                    
        ResultSet res = ss.executeQuery(sql);
        if(res!=null) {
            System.out.println("LOGIN");
            log = false;
        }
        else System.out.println("LOGIN FAILE");
        }
    }

what do you think i haven't see in the sql string? this is the response :

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''ciao' && password='12'' at line 1

4 Answers4

2

The following statement is wrong and should be avoided:

   String sql = " SELECT * FROM users WHERE user'" + user + "' && password='" + pass+ "' ";

String concatenation makes it vulnerable to SQL injection attacks. Use preparedstatement. Look here for an example and here as well.

Moreover you are missing an = after user and replace && with AND.

And as suggested by the error, go through the mysql manual once.

Pritam Banerjee
  • 17,953
  • 10
  • 93
  • 108
2

Your expanded SQL statement reads

SELECT * FROM users WHERE user 'ciao' && password='12'

That's wrong. To be valid SQL it needs to say

SELECT * FROM users WHERE user = 'ciao' AND password='12'

@PritamBanerjee pointed out it's vulnerable to sql injection. That's dangerous.

And, this is horrendous for another reason. You should never, ever, store unscrambled passwords in your dbms. If you're not sure why, visit https://haveibeenpwned.com.

The php manual has a good explanation of the right way to do it. http://php.net/manual/en/faq.passwords.php You should use a one-way scrambling function like bcrypt for this purpose.

Here's some decent material about doing this in Java. https://www.owasp.org/index.php/Hashing_Java

O. Jones
  • 103,626
  • 17
  • 118
  • 172
  • 1
    Lament: almost a decade after the Adobe password breach, people are **still** inventing their own password validation schemes. Why? Why? Don't universities teach that it's dangerous? The internet is crawling with cybercreeps who would steal user data and sell it. – O. Jones Apr 06 '18 at 20:41
  • 1
    The internet is also crawling with programming tutorials which are unsafe.. Besides not all programmers are from the university – Raymond Nijland Apr 06 '18 at 23:34
0

Actually there is not any issue with the && operator as mentioned in comments : https://dev.mysql.com/doc/refman/5.7/en/non-typed-operators.html

You just missing the = operator just after the WHERE user statement.

I suggest you to use "prepared statements" when injecting parameters to your sql statement for preventing sql injection (How does a PreparedStatement avoid or prevent SQL injection?).

PreparedStatement stmt = c.prepareStatement("SELECT * FROM users WHERE user=? && password=?");
stmt.setString(1, user);
stmt.setString(2, pass);
ResultSet res = stmt.executeQuery();
Emre Savcı
  • 3,034
  • 2
  • 16
  • 25
0

Your query is not correct

String sql = " SELECT * FROM users WHERE user'" + user + "' && password='" + pass+ "' ";

If you will check you have included "' && password='" + pass+ "' ";

but in forst part of statement user'" + user here missing =

Correct query should be

String sql = " SELECT * FROM users WHERE user='" + user + "' && password='" + pass+ "' ";
xrcwrn
  • 5,339
  • 17
  • 68
  • 129