Encrypted (base64) password not storing in database hsql

Tags: , , ,



I’m trying to simply store an base64 encripted password in database from an input in Java Web App.

I’m using hsqldb for this and my password column type is varbinary(255). But when I try to store it in database I just get the error below. I even tried to change the type of the password column to BLOB or varchar, but it still gives me the same error. Please help.

The error:

com.loginjava.exception.LoginException: Not possible to update the password
    at com.loginjava.classes.PasswordHandler.UpdatePassword(PasswordHandler.java:36)
    at com.loginjava.servlets.ForgotPasswordReset.doPost(ForgotPasswordReset.java:55)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.base/java.lang.Thread.run(Thread.java:830)
Caused by: java.sql.SQLDataException: data exception: invalid character value for cast
    at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source)
    at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source)
    at org.hsqldb.jdbc.JDBCPreparedStatement.setParameter(Unknown Source)
    at org.hsqldb.jdbc.JDBCPreparedStatement.setString(Unknown Source)
    at org.apache.tomcat.dbcp.dbcp2.DelegatingPreparedStatement.setString(DelegatingPreparedStatement.java:616)
    at org.apache.tomcat.dbcp.dbcp2.DelegatingPreparedStatement.setString(DelegatingPreparedStatement.java:616)
    at com.loginjava.classes.PasswordHandler.UpdatePassword(PasswordHandler.java:26)
    ... 25 more
Caused by: org.hsqldb.HsqlException: data exception: invalid character value for cast
    at org.hsqldb.error.Error.error(Unknown Source)
    at org.hsqldb.error.Error.error(Unknown Source)
    at org.hsqldb.Scanner.convertToBinary(Unknown Source)
    at org.hsqldb.types.BinaryType.castOrConvertToType(Unknown Source)
    at org.hsqldb.types.BinaryType.convertToDefaultType(Unknown Source)
    ... 30 more 

Here’s my Servlet:

    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

        String password = request.getParameter("password");
        String token = request.getParameter("token");
                if(PasswordHandler.CheckRequirements(password)) {

                    String encryptedpwd = Base64.getEncoder().encodeToString(password.getBytes());
                    try {
                        PasswordHandler.UpdatePassword(encryptedpwd, token);
                    } catch (SQLException e) {

                        e.printStackTrace();
                    }


                String message = Constants.PWD_SUCCESS;
                request.setAttribute("message", message);
                request.getRequestDispatcher("reset-password.jsp?token=" + token).forward(request, response);   

            } else {

                String message = Constants.PWD_FAIL;
                request.setAttribute("message", message);
                request.getRequestDispatcher("reset-password.jsp?token=" + token).forward(request, response);   
            }



    } 

This is the PasswordHandler.java class:

public static void UpdatePassword(String encryptedpwd, String token) throws SQLException {

            try
              {
               PreparedStatement ps = con.prepareStatement(
                  "UPDATE user SET password = ? WHERE token = ?");

                ps.setString(1,encryptedpwd);
                ps.setString(2,token);

                ps.executeUpdate();

                ps.close();


              }
            catch (Exception e) {
                 throw new LoginException("Not possible to update the password", e);
              }


            }

Answer

You have defined your password column as varbinary(255). Any character string inserted into this type of column must be in hexadecimal format, for example, cd349956e2. You can use an encoder to convert the password into a binary array, then convert the binary into hexadecimal before insert.

Or you can define the column as varchar(255) to insert the password as a base64 string.

In any case, passwords are not usually stored in database directly, but as a secure hash. For example a SHA-256 hash.



Source: stackoverflow