Are you storing the password unencrypted in the database?
Generally speaking, selecting * from a table is a bad idea. Similarly getting a value from the resultset based on the index is a bad idea. There is the potential here that you are getting the wrong values. I strongly recommend you change that to (changing field names as appropriate):
Now if you were to enter "user-b/password-b" - what would happen on the very first loop through your code?
Alternatively, if you had entered "user-a/password-a", what would have happened on the second loop through your code? (Why do you allow a second loop through your code?)
Which goes back to what I was saying earlier - is your code that displays the "Incorrect login or password" in the right place? Is there a better way of determining whether any of the usernames/passwords matched before showing that?
i think i put the if else code in the wrong place..because it iterates my record (i think)..
this is because when i log in..the incorrect password warning flashes 2 times when i entered user-a/password-a
can you suggest where i was to put the if else code?
I think Swastik is just misreading your SQL - assumign it check by both username and password. If you have already matched your user by username and password in SQL, what extra functionality does your check in Java provide? You only check by username; if you change your SQL to check by both credentials your Java code is redundant.