开发者

Using SQlite to validate Logins in Android

问答 作者:

I'm trying to create a Log in screen for an app in Android. I have stored information about users in a 'users' table in a database. I'm trying to match the username and password entered a开发者_Python百科t the log in screen with the values in the database using the cursor object but it doesnt work , causing the app to crash. Can someone please recommend or revise the approach, if possible with some code snippets. Will appreciate it big time, thanks.

Below is the code for the LoginForm class. (it uses a DBAdapter class to connect to the database)

package com.androidbook.LoginForm;

import android.app.Activity;
import android.content.Intent;
import android.database.Cursor;
import android.os.Bundle;
import android.view.View;
import android.widget.AutoCompleteTextView;
import android.widget.Button;
import android.widget.Toast;

public class LoginForm extends Activity {
    /** Called when the activity is first created. */
    @Override
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.main);

        final DBAdapter db = new DBAdapter(getBaseContext());
        final AutoCompleteTextView username = (AutoCompleteTextView)this.findViewById(R.id.AutoComUsernameLogin);
        final AutoCompleteTextView password = (AutoCompleteTextView)this.findViewById(R.id.AutoComPasswordLogin);

        Button Register = (Button) findViewById(R.id.ClicktoRegister);
        Register.setOnClickListener(new View.OnClickListener() {
            public void onClick(View view) {
                Intent myIntent = new Intent(view.getContext(), RegistrationForm.class);
                startActivityForResult(myIntent, 0);    
            }
        });
     //************************** LOG IN LOGIC******************************//   
        Button Login = (Button) findViewById(R.id.LoginButton);
        Login.setOnClickListener(new View.OnClickListener() {
            public void onClick(View view) {
                final String Username = username.getText().toString();
                final String Password=  password.getText().toString();

                db.open();

                Cursor c = db.getAllTitles();

                   while(c.moveToNext())
                   {
                       String c1=c.getString(2);
                       String c2=c.getString(3);

                       if(c1 == Username)
                        {
                            if(c2 == Password)
                            {
                            Toast.makeText(LoginForm.this,                 
                            "You are succesfully logged in.",
                            Toast.LENGTH_LONG).show();

                                Intent myIntent = new Intent(view.getContext(), Menu.class);
                                startActivityForResult(myIntent, 0); 
                            }
                            else
                            {
                                Toast.makeText(LoginForm.this, "Incorrect password",Toast.LENGTH_LONG).show();
                            }
                            Intent myIntent = new Intent(view.getContext(), LoginForm.class);
                            startActivityForResult(myIntent, 0); 
                        }

                       else
                        Toast.makeText(LoginForm.this, "Incorrect",Toast.LENGTH_LONG).show();
                   }

                db.close();


            }
        });
    }
     }

The answer by Chirag Raval above functions but is vulnerable to SQL injection. A malicious user could easily bypass the authentication mechanism with a basic SQLi payload (as long as there were at least a single entry in the database being checked against).

A parameterized query with bounded values is the more secure approach.

Fixing the code snippet:

public int Login(String username,String password)
{
    String[] selectionArgs = new String[]{username, password};
    try
    {
        int i = 0;
        Cursor c = null;
        c = db.rawQuery("select * from login_table where username=? and password=?", selectionArgs);
        c.moveToFirst();
        i = c.getCount(); 
        c.close(); 
        return i;
    }
    catch(Exception e)
    {
        e.printStackTrace();
    }
    return 0;
}

This simple improvement is more secure and easier to code.

You can make one function in database class that will return the int number . if integer number is 1 then we can say that the user name and password is match other wise we can say login failed . There is no need to write complex code.

public int Login(String username,String password)
{
    try
    {
        int i = 0;
        Cursor c = null;
        c = db.rawQuery("select * from login_table where username =" + "\""+ username.trim() + "\""+" and password="+ "\""+ password.trim() + "\""+, null);
        c.moveToFirst();
        i = c.getCount(); 
        c.close(); 
        return i;
    }
    catch(Exception e)
    {
        e.printStackTrace();
    }
    return 0;
}

When we try this code it asks to change type to boolean...

public int Login(String username,String password)
{
    try
    {
        int i = 0;
        Cursor c = null;
        c = db.rawQuery("select * from login_table where username =" + "\""+ username.trim() + "\""+" and password="+ "\""+ password.trim() + "\""+, null);
        c.moveToFirst();
        i = c.getCount(); 
        c.close(); 
        return i;
    }
    catch(Exception e)
    {
        e.printStackTrace();
    }
    return 0;
}

继续阅读:androidauthenticationcursor

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9