All geek questions in one place

Change user password via jdbc. Issues with passages containing question marks

I am having a problem changing my user password when the password contains a char question mark. I have not encountered this problem with any other char so far, it seems specific to the char question mark.

If I change the user password in sqlplus using the following sql:
Alter user Stephen identifed by "NewPassword?" REPLACE "OldPassword";
Then it successfully changes the pass, and I can log in using the new pass "NewPassword?" .

However, if I execute the same SQL via jdbc:
final String query = "ALTER user Stephen identified by \"NewPassword?\" REPLACE \"OldPassword\"";
stmt.executeUpdate(query);
Then I cannot log in using the "NewPassword?" .

Checking the hash codes for the password when entering through sqlplus and jdbc shows that they are different. Somehow, when I run the statement in jdbc, it enters something other than "NewPassword?" .

I have no problems with the following passwords: NewPassword, NewPassword \, NewPassword '. This is just a question that causes problems.
Debugging shows that the code point (dec) is 63 for the question mark, so it does not look like it is changing halfway.

Does anyone know what might cause this behavior? I am now at a loss, I am considering the possibility of preventing omissions with question marks in order to get around this problem at the moment.

+4
source share
2 answers

To use JDBC to change the Oracle user password, you need to do two things:

  • enter the password directly into the SQL string (binding parameters cannot be used),
  • disable evacuation processing.

You cannot use bind variables because the username and password are not sent to the database as single-quoted strings.

? the SQL string is taken as a placeholder for the bind variables, and because of this, the SQL string gets distorted at some point by Oracle JDBC. Disabling the handling of escape operations in the statement stops this. Try:

 Statement s = conn.createStatement(); s.setEscapeProcessing(false); s.executeUpdate("ALTER user Stephen identified by \"newPassword?\" replace \"oldPassword\"");

If you program the password programmatically, your code must also ensure that the new and old passwords are character-free to avoid SQL injection.

+5
source

Try to implement it with PreparedStatement and see if you have the same problem. Question markers are used as placeholders in PreparedStatements , so the JDBC driver may be getting confused. This should not, but it may be worth checking out.

 PreparedStatement p = conn.prepareStatement("ALTER user Stephen identified by ? replace ?"); p.setString(1, "NewPassword?"); p.setString(2, "OldPassword"); p.execute();

If this works, then this is probably a driver error.

+2
source

Source: https://habr.com/ru/post/1333176/

More articles:


All Articles