I have created a function that Password should be at least 8 characters long.
CREATE OR REPLACE FUNCTION password_function (
username VARCHAR2,
password VARCHAR2,
old_password VARCHAR2)
RETURN BOOLEAN AS
BEGIN
IF LENGTH(password) < 8 THEN
RETURN FALSE;
ELSE
RETURN TRUE;
END IF;
END password_function;
/
than I have alter user1 profile like
"alter profile user1 limit password_verify_function password_function"
then when I tried to create a user with user1 profile and 9 character password I am getting following error.
SQL> create user test identified by Passowrd1 profile user1;
create user test identified by Passowrd1
*
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-06503: PL/SQL: function returned without value
could you please tell me is there any problem in my function? and how to resolve it?
It seems, you have problems with code you don't show to us.
Your function password_function () has to be used somewhere (I guess in another function) and it seems, that a return is missing in that calling function.
Check if there is a return after your call of alter profile ....
Another thing:
IF LENGTH(password) < 8 THEN
RETURN FALSE;
ELSE
RETURN TRUE;
END IF;
This code will return true if the new password is null!
LENGTH(null) = null
Better would be:
NVL(LENGTH(null), 0) < 8
Related
I have an authentication Scheme which is working fine and i would like to add a password complexity to it when users are creating their password.
at the moment this is my code
FUNCTION my_user_auth
(p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN BOOLEAN
AS
Result NUMBER :=0;
Sts VARCHAR2(30);
BEGIN
SELECT 1, status INTO Result, Sts
FROM tuser
WHERE UPPER(uname)=UPPER(p_username)
AND pwd = p_password;
IF Result =1 THEN
APEX_UTIL.SET_SESSION_STATE('GLOBAL_STATUS_ITEM', Sts);
RETURN TRUE;
ELSE
RETURN FALSE;
END IF;
EXCEPTION
WHEN NO_DATA_FOUND THEN
RETURN FALSE;
END my_user_auth;
but i am lost as to where i can include
uppercase
symbol
number
can you guys assist
Firstly, hash your passwords.
Best way to store password in database
Adding password complexity has nothing to do with authentication. Instead, it would be string checks during the change password process. You could probably investigate how APEX enforces their complexity rules.
i am trying to create a package called MSGG_SESSION with a procedure authenticate that accepts two VARCHAR2 parameters for username and password. i am suppose to put an package-private NUMBER variable for the current person ID.If "authenticate" matches a username and password in MSGG_USER , put the matching PERSON_ID in the new variable. Add a function get_user_id to the package that returns the value of the variable holding the person ID.
but i get two erros saying table or view does not exits starting at the second is before not_authenticated_exception
and sql statement ignored starting at priv_number varchar2(100).
CREATE OR REPLACE PACKAGE MSGG_SESSION IS
PROCEDURE AUTHENTICATE (USERNAME_to_auth IN VARCHAR2, PASSWORD_to_use IN VARCHAR2);
FUNCTION AUTHENTICATED_USER RETURN VARCHAR2;
END MSGG_SESSION;
/
create or replace package body msgg_session is
priv_number varchar2(100);
procedure authenticate (username_to_auth in varchar2, password_to_use in varchar2)
is
not_authenticated exception;
begin
select username
into priv_number
from user_password
where lower(username) = lower(username_to_auth)
and password = password_to_use;
exception
when no_data_found then
begin
raise not_authenticated;
exception
when not_authenticated then
raise_application_error(-20000, 'Not authenticated');
end;
when others then
raise;
end authenticate;
function authenticated_user
return varchar2
is
begin
return null;
end;
function get_user_id
return varchar2
is
begin
return priv_number;
end get_user_id;
end msgg_session;
/
You don't provide table DDL or the line number of the error message so it's not clear why you would get ORA-00942: table or view does not exist. Check the spelling of the table, make sure the table and the package are in the same schema and nothing is defined in double-quotes (e.g. user_password is not the same as "user_password").
Assuming that the table looks something like this:
create table user_password
( user_id integer constraint user_password_pk primary key
, username varchar2(30) not null constraint user_password_username_uk unique
, password varchar2(30) not null );
with sample test data:
insert into user_password (user_id, username, password)
values (1, 'ndubizuacn', 'Kittens');
A fixed version of your package would look like this:
create or replace package msgg_session as
procedure authenticate
( username_to_auth in user_password.username%type
, password_to_use in user_password.password%type );
function get_user_id
return user_password.user_id%type;
end msgg_session;
/
create or replace package body msgg_session as
priv_number user_password.user_id%type;
procedure authenticate
( username_to_auth in user_password.username%type
, password_to_use in user_password.password%type )
is
begin
select user_id into priv_number
from user_password
where lower(username) = lower(username_to_auth)
and password = password_to_use;
exception
when no_data_found then
raise_application_error(-20000, 'Not authenticated');
end authenticate;
function authenticated_user
return varchar2
is
begin
return null;
end authenticated_user;
function get_user_id
return user_password.user_id%type
is
begin
return priv_number;
end get_user_id;
end msgg_session;
/
Test:
begin
msgg_session.authenticate('ndubizuacn', 'Kittens');
dbms_output.put_line(msgg_session.get_user_id);
end;
/
Assuming dbms_output is enabled, this prints the value 1.
Using a global variable for something like this doesn't make a great interface, but it's a requirement of the assignment so I guess it shows how to use one. Same goes for needing to make two calls - perhaps you could expand your authenticated_user function to provide an alternative interface (pass in user and password, get back user_id all in one shot).
Storing passwords in plain text is an obvious security risk, and it is sometimes said that you should never use any online service that can send you your password if you forget it (you don't see that too often these days, but it used to be quite common). It would be more secure not to store the password at all but instead store ora_hash(upper(username)||'~'||password)), so for example for username ndubizuacn and password Kittens you would store 2160931220. Then your authentication function might be something like:
function authenticated_user
( username_to_auth in user_password.username%type
, password_to_use in user_password.password%type )
return user_password.user_id%type
is
l_user_id user_password.user_id%type;
begin
select user_id into l_user_id
from user_password
where username = username_to_auth
and password_hash = ora_hash(upper(username_to_auth)||'~'||password_to_use);
return l_user_id;
exception
when no_data_found then
raise_application_error(-20000, 'Not authenticated');
end authenticated_user;
I am using Oracle 11g in Windows environment. I am not a thorough PL/SQL Developer. My situation is like this.
I am using a package, need to validate the logging in user. Not checking table column directly to do this.
create or replace package Configuration_pkg as
TYPE user_rec IS RECORD
(email VARCHAR2(120),
password VARCHAR2(120));
TYPE user_tab IS TABLE OF user_rec INDEX BY BINARY_INTEGER;
function Validate_logged_user (p_user_tab IN user_tab) RETURN VARCHAR2;
end Configuration_pkg;
create or replace package body Configuration_pkg as
function Validate_logged_user (p_user_tab IN user_tab) RETURN VARCHAR2 IS
Ismatching number;
begin
select count(1)
into Ismatching
from CG_M_USERS
where username = user_tab.email
and password = user_tab.password;
if Ismatching = 0 then
return 'Invalid username / password';
elsif Ismatching = 1 then
return 'Login successful';
end if;
end Validate_logged_user;
end Configuration_pkg;
I am getting the following error
Error(10,20): PL/SQL: ORA-00904: "USER_TAB"."PASSWORD": invalid identifier
Error(10,29): PLS-00302: component 'PASSWORD' must be declared
I want to validate the user with the value passed with the record type, not directly checking username and password from table. Everyone's help is highly appreciated.
There are few mistakes in your code.
1) You are using a Oracle reserve keyword 'PASSWORD'.
2) You are passing a collection to the function. So you need to run a loop to get the values of the collection.
See the revised complied code.
CREATE OR REPLACE PACKAGE Configuration_pkg
AS
TYPE user_rec IS RECORD
(
email VARCHAR2 (120),
passwrd VARCHAR2 (120)
);
TYPE user_tab IS TABLE OF user_rec INDEX BY BINARY_INTEGER;
FUNCTION Validate_logged_user (p_user_tab IN user_tab)
RETURN VARCHAR2;
END Configuration_pkg;
----------------------------------------
/
CREATE OR REPLACE PACKAGE BODY Configuration_pkg
IS
FUNCTION Validate_logged_user (p_user_tab IN user_tab)
RETURN VARCHAR2
IS
Ismatching NUMBER;
msg1 varchar2(20):= 'Invalid username/passwrd';
msg2 varchar2(20):= 'Login successful';
BEGIN
for r in 1..p_user_tab.count
loop
SELECT COUNT (1)
INTO Ismatching
FROM CG_M_USERS
WHERE username = p_user_tab(r).email
AND passwrd = p_user_tab(r).passwrd;
IF Ismatching = 0
THEN
RETURN msg1;
ELSIF Ismatching = 1
THEN
RETURN msg2;
END IF;
end loop;
END Validate_logged_user;
END Configuration_pkg;
I have created a table named password
CREATE TABLE PASSWORD (USER_ID NUMBER(10) CONSTRAINT PASSWORD_USER_ID_PK PRIMARY KEY,
PASSWD VARCHAR2(20) NOT NULL);
INSERT INTO PASSWD (USER_ID,PASSWD) VALUES (1,100);
INSERT INTO PASSWD (USER_ID,PASSWD) VALUES (2,200);
And created a Login form in an Oracle form developer 10g. And I used this code into Login button.
DECLARE
CURSOR login_cursor IS
SELECT user_id,
passwd
FROM password;
user_id_var password.user_id%TYPE;
passwd_var password.passwd%TYPE;
login_flag BOOLEAN := FALSE;
BEGIN
OPEN login_cursor;
<<check_records>>
LOOP
FETCH login_cursor INTO user_id_var, passwd_var;
IF( :login_user_id = user_id_var
AND :login_passwd = passwd_var ) THEN
Message('You are in');
login_flag := TRUE;
exit check_records;
END IF;
EXIT WHEN login_cursor%NOTFOUND;
END LOOP;
CLOSE login_cursor;
IF( NOT login_flag ) THEN
Message('INVALID LOGIN');
END IF;
clear_form;
END;
But error message appeared like
bad bind variable 'login_user_id'
bad bind variable 'login_passwd'
What's the solution for this?
Form variables are referenced using :block_name.item_name. You're using :login_user_id which seems to be missing the reference to block, hence Forms is not able to reference the variable and seems to thing it's a bind variable, which it's not.
Correct the syntax referencing the variables
I need to get the output in uu in accordance with value passed through the prompt
create or replace procedure chklg( uu out logn.username%TYPE
, pass in logn.password%TYPE)
is
begin
select username into uu from logn where password=pass;
end;
I tried executing the above procedure this way:
begin
chklg(:pass);
end
By definition a procedure doesn't return anything. You're looking for a function.
create or replace function chklg ( p_pass in logn.password%TYPE
) return varchar2 is -- assuming that logn.username%TYP is a varchar2
l_uu logn.username%type;
begin
select username into l_uu from logn where password = p_pass;
return l_uu;
-- If there-s no username that matches the password return null.
exception when no_data_found then
return null;
end;
I'm slightly worried by this as it appears as though you're storing a password as plain text. This is not best practice.
You should be storing a salted and peppered hash of your password next to the username, then apply the same salting, peppering and hashing to the password and select the hash from the database.
You can execute the function either of the following two ways:
select chklg(:pass) from dual
or
declare
l_pass logn.password%type;
begin
l_pass := chklg(:pass);
end;
/
To be complete Frank Schmitt has raised a very valid point in the comments. In addition to you storing the passwords in a very dangerous manner what happens if two users have the same password?
You will get a TOO_MANY_ROWS exception raised in your SELECT INTO .... This means that too many rows are returned to the variable. It would be better if you passed the username in as well.
This could make your function look something like the following
create or replace function chklg (
p_password_hash in logn.password%type
, p_username in logn.username%type
) return number
/* Authenticate a user, return 1/0 depending on whether they have
entered the correct password.
*/
l_yes number := 0;
begin
-- Assumes that username is unique.
select 1 into l_yes
from logn
where password_hash = p_password_hash
and username = p_username;
return l_yes;
-- If there-s no username that matches the password return 0.
exception when no_data_found then
return 0;
end;
If you're looking to only use a procedure (there's no real reason to do this at all as it unnecessarily restricts you; you're not doing any DML) then you can get the output parameter but you have to give the procedure a parameter that it can populate.
In your case it would look something like this.
declare
l_uu logn.username%type;
begin
chklg(l_uu, :pass);
dbms_output.put_line(l_uu);
end;