• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Login Verification

 
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I've created a JSP page that prompts the user to login with user name and password. This is then forwarded to "processLogin.jsp" (below) which uses the authenticate method from "Login.java" class (also below). It kind of works- kind of meaning it lets everyone and anyone login even if their details are not stored in the database!!
can someone read over my code and see why this is happening.
processLogin : -
<%@ page import="java.util.*" %>
<jsp:useBean id="tryTo" class="login.Login" scope="request">
<jsp:setProperty name="tryTo" property="*"/>
</jsp:useBean>
<%
String username = request.getParameter("username");
String password = request.getParameter("password");
if (tryTo.authenticate(username, password)) {
%>
<jsp:forward page="welcome.jsp"/>
<%
} else {
%>
<jsp:forward page="tryAgain.jsp"/>
<%
}
%>
=======================================================================
Login.java : -
package login;
import java.sql.*;
public class Login
{
private String username = "";
private String password = "";
public Login()
{
}
public void setUsername(String username)
{
this.username = username;
}
public void setPassword(String password)
{
this.password = password;
}

public boolean authenticate(String username2,
String password2)
{
String query="select * from Administrator WHERE aUserName LIKE '"+username2+"' AND aPassword LIKE '"+password2+"'";
String aUserName="";
String aPassword="";
String finalUser="";
try
{
Driver drv = (Driver)
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver").newInstance();
Connection conn = DriverManager.getConnection ("jdbc dbc:mcaiymu2", "", "");
Statement stmt = conn.createStatement();
ResultSet myResults=stmt.executeQuery(query);
while(myResults.next())
{
aUserName=myResults.getString("aUserName");
aPassword=myResults.getString("aPassword");
if (username2.equals(aUserName) &&
password2.equals(aPassword))
{
break;
}

}
return true;
}
catch(Exception e)
{
e.printStackTrace();
return false;
}
}
}
============================================================
Also, Does someone know how i can implement session with this?
 
Ranch Hand
Posts: 249
Oracle Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think your problem is in your authenticate method:
while(myResults.next()) {
aUserName=myResults.getString("aUserName");
aPassword=myResults.getString("aPassword");
if (username2.equals(aUserName) && password2.equals(aPassword)) {
break;
}
}
return true;
It cycles through myResults, and the first line after it exits the while is the "return true". What you can do, is declare a boolean variable, initialize it to false. Then set that variable to true instead of using the break statement. Then the last line of the method should return that boolean.
Hope this helps.
 
Taz Coello
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
yes, i'm trying that at the moment but because the initialised variable is placed outside the while loop and only changes in the if statement, the return is always "false" and so takes me to the try again page all the time instead.
when i tried placing it inside the while loop and then return the boolean variable - theres an error saying return 'boolean variable' not recognised.
Is this what you meant?
 
Ranch Hand
Posts: 4982
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The condition inside the while loop should be:

rs.next() is a void method, and it just shift the pointers to the record list right with one object, so that you get the next record.
Nick.
 
Taz Coello
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
sorry, i already knew that, what i meant is return the boolean variable upon exiting the while loop which obviously throws an error if the variable is inside the loop.
Can you show me where to put it in the code coz im all out of ideas?
 
Mike Firkser
Ranch Hand
Posts: 249
Oracle Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
First--check all of your code to make sure it is doing what you really want and you don't have any hidden errors. Next, I would change the query to be a = instead of like, that way you'll only get a resultSet if you have a match. Anyway, here is my recommended code, just to make sure we're singing off the same sheet of music.

Maybe declare your boolean in the very beginning of the method, then you won't have scope problems.
 
Taz Coello
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
right, i've just completed everything you have suggested and get the same error "isGoodUser" is being always false since the update to true is within the while and if statements. placing it anywhere within the method but outside the while loop gives same result.
well guys, i think i've done enuf head banging for today and ur suggestions are really appreciated but i think we all deserve some rest. But if you do find the solution to this problem - do let us know.
Thanx
 
Nicholas Cheung
Ranch Hand
Posts: 4982
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Why dont you print out the userid and password, together with the result of equals(), so that you know the problem, and see whether there is a equal?
1 problem I get maybe that, there are some useless spaces in the db, or the user request, have you also tried trim()?
Nick.
 
Ranch Hand
Posts: 580
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Actually, he was dead on. In the ResultSet class, there is no hasNext() method. The next() method returns a boolean to indicate that it actually DID move the cursor forward (the cursor begins BEFORE the first record in the result set).

Originally posted by Nicholas Cheung:
The condition inside the while loop should be:

rs.next() is a void method, and it just shift the pointers to the record list right with one object, so that you get the next record.
Nick.

 
James Carman
Ranch Hand
Posts: 580
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Try this...
public boolean authenticate( String username, String password )
{
String query="select * from Administrator WHERE aUserName = ? and aPassword = ?";
String finalUser="";
try
{
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
Connection conn = DriverManager.getConnection("jdbc dbc:mcaiymu2", "", "");
PreparedStatement ps = conn.prepareStatement( query );
ps.setString( 1, username == null ? username : username.trim() );
ps.setString( 2, password == null ? password : password.trim() );
ResultSet myResults=ps.executeQuery();
return myResults.next();
}
catch( SQLException sql )
{
return false;
}
}
You can do a number of things with the username and password parameters passed in here. In my example, I merely "trimmed" them. However, you could also toUpperCase() them, if your values are stored in "all caps" in your database. Why do you want to do the comparisons? Why not let your database do a little work? Also, it is generally better to use PreparedStatements when allowing users to enter information that is used to generate SQL queries against your database. It would be easy for a "hacker" to spoof your SQL by entering "username' or ('1' = '1" for their username and "password') or '1' = '1", thereby causing you to generate the SQL...
"select * from Administrator WHERE aUserName = 'username' or ('1' = '1' AND aPassword = 'password') or '1' = '1';
This SQL is ALWAYS true! I wouldn't use LIKE, either. What if the user enters "%" for their username and password?!?!?!?! Again, ALWAYS true.

Originally posted by Taz Coello:
I've created a JSP page that prompts the user to login with user name and password. This is then forwarded to "processLogin.jsp" (below) which uses the authenticate method from "Login.java" class (also below). It kind of works- kind of meaning it lets everyone and anyone login even if their details are not stored in the database!!
can someone read over my code and see why this is happening.
processLogin : -
<%@ page import="java.util.*" %>
<jsp:useBean id="tryTo" class="login.Login" scope="request">
<jsp:setProperty name="tryTo" property="*"/>
</jsp:useBean>
<%
String username = request.getParameter("username");
String password = request.getParameter("password");
if (tryTo.authenticate(username, password)) {
%>
<jsp:forward page="welcome.jsp"/>
<%
} else {
%>
<jsp:forward page="tryAgain.jsp"/>
<%
}
%>
=======================================================================
Login.java : -
package login;
import java.sql.*;
public class Login
{
private String username = "";
private String password = "";
public Login()
{
}
public void setUsername(String username)
{
this.username = username;
}
public void setPassword(String password)
{
this.password = password;
}

public boolean authenticate(String username2,
String password2)
{
String query="select * from Administrator WHERE aUserName LIKE '"+username2+"' AND aPassword LIKE '"+password2+"'";
String aUserName="";
String aPassword="";
String finalUser="";
try
{
Driver drv = (Driver)
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver").newInstance();
Connection conn = DriverManager.getConnection ("jdbc dbc:mcaiymu2", "", "");
Statement stmt = conn.createStatement();
ResultSet myResults=stmt.executeQuery(query);
while(myResults.next())
{
aUserName=myResults.getString("aUserName");
aPassword=myResults.getString("aPassword");
if (username2.equals(aUserName) &&
password2.equals(aPassword))
{
break;
}

}
return true;
}
catch(Exception e)
{
e.printStackTrace();
return false;
}
}
}
============================================================
Also, Does someone know how i can implement session with this?

 
Taz Coello
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thanx everyone, I finally managed to get it working!
moving on to the shopping cart now - ul be hearing from me soon!
 
I promise I will be the best, most loyal friend ever! All for this tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic