Search code examples
javajspjdbcresultset

ResultSet#next() is returning false even though my query is correct

I have written the following code in an jsp file.. basically what it dose is that it checks whether there is any data with the particular bank name, card number and password..to check this i have used a select query.. the query is correct but the result set is returning false.. i have even checked the query separately.. its working fine.. is there any problem with this code?? please help.. I'm using netbeans as my IDE and Derby database..

    String URL="jdbc:derby://localhost:1527/Bank Database";
    try{
        Connection cn=DriverManager.getConnection(URL,"Bank","Bank");
        String qry="SELECT * FROM DATABASE WHERE BANK='"+bname+"' AND CARD_NO='"+cname+"' AND PASWORD='"+pswrd+"'";
        Statement sq=cn.createStatement();
        ResultSet rs=sq.executeQuery(qry);
        if(rs.next()){
            if(rs.getString("PASWORD").equals(pswrd))
            {
                cn.close();
                out.println("<script>function redirect(){ window.location=\"scsfl.html\";} setTimeout('redirect()',3000);</script>");  //redirects to another page   
            }
        }
        else{
            cn.close();
            out.println("<script>function redirect(){ window.location=\"failed.html\";} setTimeout('redirect()',3000);</script>");
        }
    }catch(Exception e){ System.out.print(e);}
Solution

  • As mentioned in comments your actual code shows many problems:

    1. You are using a Statement instead of a PreparedStatement which is more secure and can prevent some Hackers move like SQL Injection, you can find more information in JDBC Statement vs PreparedStatement – SQL Injection Example.
    2. You are checking the password in your Java code while it's already done in your SQL query, so the query checks if the password is correct it will return a result otherwise the result will be empty.
    3. Closing the connexion in the if..else statement is a very bad practice, you better use a try..catch statement to deal with it in finally block where you will close respectively the resultset, the prepared statement and the connexion.

    I tried to improve your code and this's what you should do:

        Connection con = null;
    String URL="jdbc:derby://localhost:1527/Bank Database";
    PreparedStatement ps = null;
    ResultSet rs = null;
    String qry="SELECT * FROM DATABASE WHERE BANK=? AND CARD_NO=? AND PASWORD=?";
    try {
        con = DriverManager.getConnection(URL,"Bank","Bank");
        ps = con.prepareStatement(qry);

        //set the parameter
        ps.setString(1, bname);
        ps.setString(2, cname);
        ps.setString(3, pswrd);
        rs = ps.executeQuery();

        if (rs.next()) {
            out.println("<script>function redirect(){ window.location=\"scsfl.html\";} setTimeout('redirect()',3000);</script>");  //redirects to another page 
        } else {
            out.println("<script>function redirect(){ window.location=\"failed.html\";} setTimeout('redirect()',3000);</script>");
        }
    } finally {
        if (rs != null)
            rs.close();
        ps.close();
        con.close();
    }