nashwa_ahmed wrote:
the validation class return false forever
That's hardly surprising - based on the code you've posted, you declare a variable called
st
, initialize it to
false
, execute a query, and then return the value of
st
. You never update the value of the variable, so the method always returns
false
.
I suspect you're missing a line from your
checkUser
method:
ResultSet rs = ps.executeQuery();
st = rs.next();
However, as I mentioned in the comments, storing passwords in plain text is a very bad idea. You should be storing a salted hash of the password, using a unique salt per record. To validate the password, you would then need something like this:
PreparedStatement ps = con.prepareStatement("select salt, hashedPassword from register where userName = ?");
ps.setString(1, name);
ResultSet rs = ps.executeQuery();
if (rs.next())
{
byte[] salt = rs.getBytes(0);
byte[] hashedPassword = rs.getBytes(1);
byte[] enteredPassword = HashPassword(pass, salt);
st = java.util.Arrays.equals(hashedPassword, enteredPassword);
}
where
HashPassword
is the same function you use to hash the password when the user registers.
Secure Salted Password Hashing - How to do it Properly[
^]
You should also consider using a constant-time equality test for the byte arrays, to avoid timing attacks:
A Lesson In Timing Attacks (or, Don’t use MessageDigest.isEquals) | codahale.com[
^]