AES_DECRYPT username/password validation

RiskyShenanigan · #1 (**permalink**) 03-24-11, 17:34

Im my system when a user logins in the database decrypts the password and validates. However when I try to run the code, it doesn't seem to validate it.

I think it has to do with the query, I am using Java.

Code:

 String url = "jdbc:mysql://localhost:3306/";
      String dbName = "myDatabase";
      String driver = "com.mysql.jdbc.Driver";
      String userName = "root";
      String password = "candy";
        String userNameE = jTextField1.getText();
        String passwordE = new String(jPasswordField1.getPassword());
        String passwordCheck = null;
        String userNameCheck = null;
        boolean loginFail = false;
        Connection con;

      try {
            con = DriverManager.getConnection(url+dbName,userName,password);
            System.out.println("Connected to the database");
            Statement st = con.createStatement();
            ResultSet rt = st.executeQuery("SELECT * FROM accounts WHERE username ='"+userNameE+"' AND AES_DECRYPT(password='"+passwordE+"','enigma');");
                  while(rt.next()){
           passwordCheck = rt.getString("password");
           userNameCheck = rt.getString("username");
               if (passwordCheck.equals(passwordE) && userNameCheck.equals(userNameE)) {
                   this.dispose();
                   new Menu().setVisible(true);
                   loginFail = false;
                   con.close();
                   
               System.out.println("Disconnected from database");
                      }
            }
        } catch (SQLException e) {System.err.println("ERROR: " + e.getMessage()); }
        if (loginFail == true){
        new login.confirmations.LoginError().setVisible(true);
        this.dispose();
        }

it-iss.com · #2 (**permalink**) 03-24-11, 19:37

Your query is as follows:

Code:

SELECT * FROM accounts WHERE username ='"+userNameE+"' AND AES_DECRYPT(password='"+passwordE+"','enigma');

However, should this not read

Code:

SELECT * FROM accounts WHERE username ='"+userNameE+"' AND password = AES_DECRYPT('"+passwordE+"','enigma');

RiskyShenanigan · #3 (**permalink**) 03-25-11, 06:13

I think there is a problem, the passwordE, this gets the text from the password field I have written in, but the query decrypts the plain text if I am not wrong? Shouldn't it get the password of the actual user, decrypt that and compare it ?

"SELECT * FROM accounts WHERE username ='"+userNameE+"' AND password = AES_DECRYPT('"+passwordE+"','enigma');"

it-iss.com · #4 (**permalink**) 03-25-11, 07:06

Actually you are correct here. You should be encrypting the password string and not decrypting or AES_DECRYPT the password in the database and then compare. Both will work.

Code:

"SELECT * FROM accounts WHERE username ='"+userNameE+"' AND password = AES_ENCRYPT('"+passwordE+"','enigma');"

Internet Services

Web Development

Digital Marketing

Consumer Tech