I have developed a java program and I need to update and insert the login details of users. I have two textfields created and two buttons name add user and edit the user. when I type the username and password in the two textfields the user added to the database successfully, the error is in the edit user, I want to update the password of the user based on username,
I'm getting SQL error when trying to update the user,
here is my SQL query for updating the password of a user based on his username,
String sql = "UPDATE Admin SET password='"+JT_pass1.getText()+"' WHERE
username = "+JT_username1.getText();
when i execute im getting this error,
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown column
'sss' in 'where clause'
"sss" is what I entered to username field,
Mysql database I have admin table which consists of two columns admin and username,
I cannot figure out where am I getting wrong, please any help would be highly appreciated.
Your immediate problem is that you forgot to place single quotes around the username in your query. Hence, the database is interpreting sss as a column. But you should really be using prepared statements:
String query = "UPDATE Admin SET password=? WHERE username = ?";
PreparedStatement update = con.prepareStatement(query);
update.setString(JT_pass1.getText());
update.setString(JT_username1.getText());
update.executeUpdate();
There are many advantages to using prepared statements. First, it will automatically take care of proper escaping of strings and other types of data. In addition, it will prevent SQL injection from happening.
To get this to work, you need to add quotes around the username like so:
String sql = "UPDATE Admin SET password='"+JT_pass1.getText()+"' WHERE
username = '"+JT_username1.getText()+"'";
However, updating the database this way is vulnerable to SQL injection, so it would be much better to use Prepared Statements.
To consider "JT_username1.getText()" as a part of you query string, you have to enclose it under proper quotation.
Same like added "JT_pass1.getText()" between single and double quote, you have to add "JT_username1.getText()" as well.
String sql = "UPDATE Admin SET password='" + JT_pass1.getText() + "' WHERE username = '"+JT_username1.getText()+"'";
Related
Sonarqube is giving me this error:
[BLOCKER] Change this code to not construct SQL queries directly from user-controlled data
Here is my code:
String countSQL;
countSQL = (String.format("SELECT count(*) as total FROM ltid_owner.enty %s",additionalWhereClauses));
jdbcTemplateTMI.queryForObject(countSQL, Integer.class);
In the above code additionalWhereClauses could be something like this shown below which I am building on the fly when the user clicks on the grid to perform filtering on different columns:
additionalWhereClauses = where UPPER(enty_num) like '003%'
Can you please let me know how to resolve this issue?
Your code combines strings into SQL statements. If any of these strings contains user provided input, an attacker can sneak in code to trigger an SQL injection attack and possibly run arbitrary code on your computer (obligatory Bobby Tables reference).
Simple example:
String sql = "SELECT * FROM users WHERE name = '" + name + "' AND password = '" + password + "'";
If I enter ' OR 1=1 -- for the name (and "..." for the password, but that doesn't really matter anymore) the code becomes a valid SQL statement:
SELECT *
FROM users
WHERE name = '' OR 1=1 -- ' AND password = '...'
but the user name / password check is completely disabled.
To avoid this, use prepared statements. They build the SQL command in a way that SQL injection is impossible.
Maybe this never happens in your code as you don't accept user input, but Sonar doesn't know this (and human reviewers won't either). I'd always use prepared statements. Just because your code only passed column headers from a frontend, doesn't mean an attacker cannot manually call your web service endpoints and pass whatever they want, it your code runs as an HTTP endpoint.
I have a database with a "username" field and with Java I insert the values into the database. I tried to enter the username "l'ornitorinco" but the program does not work (crashes). I know that when I insert an apostrophe string with phpMyAdmin like "l'ornitorinco" it is sent in this way "l'ornitorinco". I should probably analyze the string and insert the apostrophe at the appropriate point (with a for loop from 0 to string.length), but does anyone know a more appropriate method? I had read about a method to set the strings for mysql use, but I not remember.
You could use a PreparedStatement, as its setString() method allows you to include apostrophes on the value, making it much simpler than playing the single/doble quote game.
String queryString = "insert into username values (?)";
query = con.prepareStatement(queryString);
query.setString(1, "l'ornitorinco");
query.executeUpdate();
Take a look here for more info. Hope it helps!
i have query = "select * from user_message where username = 'john777#gmail.com';" . There is a column 'is_read'( When message is sent to user , is_read is false by default , it means user has not read message yet), after first selection i have to change that column to true UPDATE user_message
SET is_read=true where username = 'john777#gmail.com'; Which means user has read message . so question is can i make one query and execute it throught batch or should i make two different queries ? Which way is better ?
You are write one method with two parameters username and is_read. You can call this method any-time when you needed.
I think your update statement is incorrect since it doesn't pass a message id
I'm guessing it's something like:
UPDATE user_message
SET is_read=true
where username = 'john777#gmail.com'
and user_message_id = 123
If you'd like to set multiple messages to read you could do this via:
UPDATE user_message
SET is_read=true
where username = 'john777#gmail.com'
and user_message_id in (123, 234, 456)
This feels like a design flaw to me. Why does the user_message table have the email? What happens if the user changes their email? You should really decouple the email from the user by giving each user a unique (integer) id which you use as a foreign key.
Based on the assumption the you have a Collection of parameters say emails, I would suggest the following:
String sql = "Your statement";
PreparedStatement stmt = conection.prepare(sql);
for(String email : emails){
stmt.setString(1, email);
stmt.executeUpdate();
stmt.clearParameters();
}
This I think will help you.
I want to show a attack of sql injection in which when user fill a user login form and submit to java servlet. in login and password filed how we are type a query which is update any other record. I know all column and table names.
for example I am write this query in servlet :
select userid,username from accountinfo where userid='testid' and pass='1234';
update accountinfo set emailid='aar#r.com' where userid='testid2';
but its give Sql Exception how to solve this issue.
Try a single query first:
select userid, username
from accountinfo
where userid='-' and pass='-'
union
select userid, pass
from accountinfo
where userid like 'adm%'
If that gives no exception, present first the query of system tables, and then the above query. Pick an injection of an SQL update for the update accountinfo.
I have a problem with altering a users password when the password contains a question mark char. I do not encounter this problem with any other char so far, it seems specific to the question mark char.
If i alter a users password in sqlplus using the following sql:
Alter user Stephen identifed by "NewPassword?" REPLACE "OldPassword";
Then it changes the pass successfully and I can login using the new pass 'NewPassword?'.
However if I execute the same SQL via jdbc:
final String query = "ALTER user Stephen identified by \"NewPassword?\" REPLACE \"OldPassword\"";
stmt.executeUpdate(query);
I then cannot log in using the pass 'NewPassword?'.
Checking the hashcodes for the password when entered via sqlplus and jdbc show that they are different.
Somehow when I run the statement in jdbc it is entering something other than 'NewPassword?'.
I don't seem to have any problems with the following passwords:
NewPassword, NewPassword\, NewPassword'. It just seems to be the question mark that is causing problems.
Debugging shows the code point (dec) is 63 for the question mark so it doesn't look like its being changed midway.
Does anyone have any idea what could be causing this behaviour?
I'm at a loss at the moment, I'm considering preventing passes with question marks to bypass this problem for now.
To use JDBC to change the password of an Oracle user you need to do two things:
put the password directly in the SQL string (bind parameters cannot be used),
disable escape processing.
You can't use bind variables because the username and password are not sent to the database as single-quoted strings.
The ? in the SQL string is being taken as a bind variable placeholder, and because of this the SQL string is getting mangled at some point by Oracle JDBC. Disabling escape processing on the statement stops this from happening. Try:
Statement s = conn.createStatement();
s.setEscapeProcessing(false);
s.executeUpdate("ALTER user Stephen identified by \"newPassword?\" replace \"oldPassword\"");
If you are setting the password programmatically, your code should also ensure that the new and old passwords do not contain any " characters, to avoid SQL injection.
Try implementing it using a PreparedStatement and see if you get the same problem. Question marks are used in PreparedStatements as placeholders, so maybe the JDBC driver is getting confused. It shouldn't, but might be worth checking.
PreparedStatement p = conn.prepareStatement("ALTER user Stephen identified by ? replace ?");
p.setString(1, "NewPassword?");
p.setString(2, "OldPassword");
p.execute();
If this works then it's probably a bug in the driver.