我正在创建一个基本的注册/登录用户名/密码数据库,我想知道我的方法是否正确。我对代码工作不满意,我希望它也干净又高效。
用户可以访问互联网登录页面,输入凭据,并基本登录。我有一个数据库类,它创建帐户并检查输入的凭据是否正确。
所以,数据库类:
public class Database {
private Connection connection = null;
private PreparedStatement preparedStatement = null;
private ResultSet resultSet = null;
// Method for registering a new account. Credentials are added into the database.
public void registerAccount(String username, String password, String ipAddress) {
try {
Class.forName("org.apache.derby.jdbc.EmbeddedDriver");
connection = DriverManager
.getConnection("jdbc:derby:C:\\DB;create=true;upgrade=true");
String query = "INSERT INTO Users (username, password, ip_address) VALUES" + "(?,?,?)";
preparedStatement = connection.prepareStatement(query);
preparedStatement.setString(1, username);
preparedStatement.setString(2, password);
preparedStatement.setString(3, ipAddress);
preparedStatement.executeUpdate();
} catch (Exception e) {
e.printStackTrace();
} finally {
close();
}
}
private void close() {
try {
if (resultSet != null) {
resultSet.close();
}
if (preparedStatement != null) {
preparedStatement.close();
}
if (connection != null) {
connection.close();
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
例如:当用户单击“提交”以登录时,将调用Database类中的方法:
// Checks if credetials are correct.
public boolean checkLogin(String username, String password) {
try {
Class.forName("org.apache.derby.jdbc.EmbeddedDriver");
connection = DriverManager
.getConnection("jdbc:derby:C:\\DB;create=true;upgrade=true");
String query = "SELECT username, password from Users WHERE username = ? AND password = ?";
preparedStatement = connection.prepareStatement(query);
preparedStatement.setString(1, username);
preparedStatement.setString(2, password);
resultSet = preparedStatement.executeQuery();
if (resultSet.next()) {
String user = resultSet.getString("username");
String pass = resultSet.getString("password");
if (username.equalsIgnoreCase(user)) {
if (password.equals(pass)) {
return true;
}
}
}
} catch (Exception e) {
e.printStackTrace();
} finally {
close();
}
return false;
}
我还在Database类中有一些其他方法来检查注册时是否未使用用户名,或者是否已在特定IP上注册了帐户等。这是一种好的做法还是有更好,更有效的方法实现这个目标? 谢谢!
答案 0 :(得分:0)
通过用户名查询记录以获取ecrypted密码,并将其与用户输入的ecrypted密码进行比较。
以下是参考How can I hash a password in Java?。 PBKDF2是一种很好的密码散列算法。
byte[] salt = new byte[16];
random.nextBytes(salt);
KeySpec spec = new PBEKeySpec("password".toCharArray(), salt, 65536, 128);
SecretKeyFactory f = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
byte[] hash = f.generateSecret(spec).getEncoded();
Base64.Encoder enc = Base64.getEncoder();
System.out.printf("salt: %s%n", enc.encodeToString(salt));
System.out.printf("hash: %s%n", enc.encodeToString(hash));
Here is the PBKDF2 one in python。你很容易理解这个想法。