分享程序员开发的那些事...
更新时间:2023-12-03 20:40:10
由奇拉格拉瓦尔回答上述功能,但很容易受到SQL注入攻击。恶意用户可以很容易地绕过一个基本的SQLI有效载荷的认证机制(只要有至少在数据库中的单个条目对被检查人)。
有界值的参数化查询是更安全的做法。
杀青code片断:
公众诠释登录(用户名字符串,字符串密码)
{
的String [] = selectionArgs两个新的String [] {用户名,密码};
尝试
{
INT I = 0;
光标C = NULL;
C = db.rawQuery(从login_table选择*其中username =和密码=?,selectionArgs两个);
c.moveToFirst();
I = c.getCount();
c.close();
返回我;
}
赶上(例外五)
{
e.printStackTrace();
}
返回0;
}
这简单的改进是更安全,更容易code。
I'm trying to create a Log in screen for an app in Android. I have stored information about users in a 'users' table in a database. I'm trying to match the username and password entered at the log in screen with the values in the database using the cursor object but it doesnt work , causing the app to crash. Can someone please recommend or revise the approach, if possible with some code snippets. Will appreciate it big time, thanks.
Below is the code for the LoginForm class. (it uses a DBAdapter class to connect to the database)
package com.androidbook.LoginForm;
import android.app.Activity;
import android.content.Intent;
import android.database.Cursor;
import android.os.Bundle;
import android.view.View;
import android.widget.AutoCompleteTextView;
import android.widget.Button;
import android.widget.Toast;
public class LoginForm extends Activity {
/** Called when the activity is first created. */
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
final DBAdapter db = new DBAdapter(getBaseContext());
final AutoCompleteTextView username = (AutoCompleteTextView)this.findViewById(R.id.AutoComUsernameLogin);
final AutoCompleteTextView password = (AutoCompleteTextView)this.findViewById(R.id.AutoComPasswordLogin);
Button Register = (Button) findViewById(R.id.ClicktoRegister);
Register.setOnClickListener(new View.OnClickListener() {
public void onClick(View view) {
Intent myIntent = new Intent(view.getContext(), RegistrationForm.class);
startActivityForResult(myIntent, 0);
}
});
//************************** LOG IN LOGIC******************************//
Button Login = (Button) findViewById(R.id.LoginButton);
Login.setOnClickListener(new View.OnClickListener() {
public void onClick(View view) {
final String Username = username.getText().toString();
final String Password= password.getText().toString();
db.open();
Cursor c = db.getAllTitles();
while(c.moveToNext())
{
String c1=c.getString(2);
String c2=c.getString(3);
if(c1 == Username)
{
if(c2 == Password)
{
Toast.makeText(LoginForm.this,
"You are succesfully logged in.",
Toast.LENGTH_LONG).show();
Intent myIntent = new Intent(view.getContext(), Menu.class);
startActivityForResult(myIntent, 0);
}
else
{
Toast.makeText(LoginForm.this, "Incorrect password",Toast.LENGTH_LONG).show();
}
Intent myIntent = new Intent(view.getContext(), LoginForm.class);
startActivityForResult(myIntent, 0);
}
else
Toast.makeText(LoginForm.this, "Incorrect",Toast.LENGTH_LONG).show();
}
db.close();
}
});
}
}
The answer by Chirag Raval above functions but is vulnerable to SQL injection. A malicious user could easily bypass the authentication mechanism with a basic SQLi payload (as long as there were at least a single entry in the database being checked against).
A parameterized query with bounded values is the more secure approach.
Fixing the code snippet:
public int Login(String username,String password)
{
String[] selectionArgs = new String[]{username, password};
try
{
int i = 0;
Cursor c = null;
c = db.rawQuery("select * from login_table where username=? and password=?", selectionArgs);
c.moveToFirst();
i = c.getCount();
c.close();
return i;
}
catch(Exception e)
{
e.printStackTrace();
}
return 0;
}
This simple improvement is more secure and easier to code.