Results 1 to 4 of 4
  1. #1
    Join Date
    Mar 2011
    Posts
    4

    Unanswered: AES_DECRYPT username/password validation

    Im my system when a user logins in the database decrypts the password and validates. However when I try to run the code, it doesn't seem to validate it.

    I think it has to do with the query, I am using Java.

    Code:
     String url = "jdbc:mysql://localhost:3306/";
          String dbName = "myDatabase";
          String driver = "com.mysql.jdbc.Driver";
          String userName = "root";
          String password = "candy";
            String userNameE = jTextField1.getText();
            String passwordE = new String(jPasswordField1.getPassword());
            String passwordCheck = null;
            String userNameCheck = null;
            boolean loginFail = false;
            Connection con;
    
          try {
                con = DriverManager.getConnection(url+dbName,userName,password);
                System.out.println("Connected to the database");
                Statement st = con.createStatement();
                ResultSet rt = st.executeQuery("SELECT * FROM accounts WHERE username ='"+userNameE+"' AND AES_DECRYPT(password='"+passwordE+"','enigma');");
                      while(rt.next()){
               passwordCheck = rt.getString("password");
               userNameCheck = rt.getString("username");
                   if (passwordCheck.equals(passwordE) && userNameCheck.equals(userNameE)) {
                       this.dispose();
                       new Menu().setVisible(true);
                       loginFail = false;
                       con.close();
                       
                   System.out.println("Disconnected from database");
                          }
                }
            } catch (SQLException e) {System.err.println("ERROR: " + e.getMessage()); }
            if (loginFail == true){
            new login.confirmations.LoginError().setVisible(true);
            this.dispose();
            }

  2. #2
    Join Date
    Sep 2009
    Location
    San Sebastian, Spain
    Posts
    880
    Your query is as follows:


    Code:
    SELECT * FROM accounts WHERE username ='"+userNameE+"' AND AES_DECRYPT(password='"+passwordE+"','enigma');
    However, should this not read


    Code:
    SELECT * FROM accounts WHERE username ='"+userNameE+"' AND password = AES_DECRYPT('"+passwordE+"','enigma');
    Ronan Cashell
    Certified Oracle DBA/Certified MySQL Expert (DBA & Cluster DBA)
    http://www.it-iss.com
    Follow me on Twitter

  3. #3
    Join Date
    Mar 2011
    Posts
    4
    I think there is a problem, the passwordE, this gets the text from the password field I have written in, but the query decrypts the plain text if I am not wrong? Shouldn't it get the password of the actual user, decrypt that and compare it ?

    "SELECT * FROM accounts WHERE username ='"+userNameE+"' AND password = AES_DECRYPT('"+passwordE+"','enigma');"

  4. #4
    Join Date
    Sep 2009
    Location
    San Sebastian, Spain
    Posts
    880
    Actually you are correct here. You should be encrypting the password string and not decrypting or AES_DECRYPT the password in the database and then compare. Both will work.

    Code:
    "SELECT * FROM accounts WHERE username ='"+userNameE+"' AND password = AES_ENCRYPT('"+passwordE+"','enigma');"
    Ronan Cashell
    Certified Oracle DBA/Certified MySQL Expert (DBA & Cluster DBA)
    http://www.it-iss.com
    Follow me on Twitter

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •