aspose file tools*
The moose likes JSP and the fly likes Login Verification Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Login Verification " Watch "Login Verification " New topic
Author

Login Verification

Taz Coello
Greenhorn

Joined: Feb 26, 2004
Posts: 7
I've created a JSP page that prompts the user to login with user name and password. This is then forwarded to "processLogin.jsp" (below) which uses the authenticate method from "Login.java" class (also below). It kind of works- kind of meaning it lets everyone and anyone login even if their details are not stored in the database!!
can someone read over my code and see why this is happening.
processLogin : -
<%@ page import="java.util.*" %>
<jsp:useBean id="tryTo" class="login.Login" scope="request">
<jsp:setProperty name="tryTo" property="*"/>
</jsp:useBean>
<%
String username = request.getParameter("username");
String password = request.getParameter("password");
if (tryTo.authenticate(username, password)) {
%>
<jsp:forward page="welcome.jsp"/>
<%
} else {
%>
<jsp:forward page="tryAgain.jsp"/>
<%
}
%>
=======================================================================
Login.java : -
package login;
import java.sql.*;
public class Login
{
private String username = "";
private String password = "";
public Login()
{
}
public void setUsername(String username)
{
this.username = username;
}
public void setPassword(String password)
{
this.password = password;
}

public boolean authenticate(String username2,
String password2)
{
String query="select * from Administrator WHERE aUserName LIKE '"+username2+"' AND aPassword LIKE '"+password2+"'";
String aUserName="";
String aPassword="";
String finalUser="";
try
{
Driver drv = (Driver)
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver").newInstance();
Connection conn = DriverManager.getConnection ("jdbc dbc:mcaiymu2", "", "");
Statement stmt = conn.createStatement();
ResultSet myResults=stmt.executeQuery(query);
while(myResults.next())
{
aUserName=myResults.getString("aUserName");
aPassword=myResults.getString("aPassword");
if (username2.equals(aUserName) &&
password2.equals(aPassword))
{
break;
}

}
return true;
}
catch(Exception e)
{
e.printStackTrace();
return false;
}
}
}
============================================================
Also, Does someone know how i can implement session with this?
Mike Firkser
Ranch Hand

Joined: Oct 21, 2003
Posts: 247

I think your problem is in your authenticate method:
while(myResults.next()) {
aUserName=myResults.getString("aUserName");
aPassword=myResults.getString("aPassword");
if (username2.equals(aUserName) && password2.equals(aPassword)) {
break;
}
}
return true;
It cycles through myResults, and the first line after it exits the while is the "return true". What you can do, is declare a boolean variable, initialize it to false. Then set that variable to true instead of using the break statement. Then the last line of the method should return that boolean.
Hope this helps.


Mike Firkser
Rutgers '84
Taz Coello
Greenhorn

Joined: Feb 26, 2004
Posts: 7
yes, i'm trying that at the moment but because the initialised variable is placed outside the while loop and only changes in the if statement, the return is always "false" and so takes me to the try again page all the time instead.
when i tried placing it inside the while loop and then return the boolean variable - theres an error saying return 'boolean variable' not recognised.
Is this what you meant?
Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982
The condition inside the while loop should be:

rs.next() is a void method, and it just shift the pointers to the record list right with one object, so that you get the next record.
Nick.


SCJP 1.2, OCP 9i DBA, SCWCD 1.3, SCJP 1.4 (SAI), SCJD 1.4, SCWCD 1.4 (Beta), ICED (IBM 287, IBM 484, IBM 486), SCMAD 1.0 (Beta), SCBCD 1.3, ICSD (IBM 288), ICDBA (IBM 700, IBM 701), SCDJWS, ICSD (IBM 348), OCP 10g DBA (Beta), SCJP 5.0 (Beta), SCJA 1.0 (Beta), MCP(70-270), SCBCD 5.0 (Beta), SCJP 6.0, SCEA for JEE5 (in progress)
Taz Coello
Greenhorn

Joined: Feb 26, 2004
Posts: 7
sorry, i already knew that, what i meant is return the boolean variable upon exiting the while loop which obviously throws an error if the variable is inside the loop.
Can you show me where to put it in the code coz im all out of ideas?
Mike Firkser
Ranch Hand

Joined: Oct 21, 2003
Posts: 247

First--check all of your code to make sure it is doing what you really want and you don't have any hidden errors. Next, I would change the query to be a = instead of like, that way you'll only get a resultSet if you have a match. Anyway, here is my recommended code, just to make sure we're singing off the same sheet of music.

Maybe declare your boolean in the very beginning of the method, then you won't have scope problems.
Taz Coello
Greenhorn

Joined: Feb 26, 2004
Posts: 7
right, i've just completed everything you have suggested and get the same error "isGoodUser" is being always false since the update to true is within the while and if statements. placing it anywhere within the method but outside the while loop gives same result.
well guys, i think i've done enuf head banging for today and ur suggestions are really appreciated but i think we all deserve some rest. But if you do find the solution to this problem - do let us know.
Thanx
Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982
Why dont you print out the userid and password, together with the result of equals(), so that you know the problem, and see whether there is a equal?
1 problem I get maybe that, there are some useless spaces in the db, or the user request, have you also tried trim()?
Nick.
James Carman
Ranch Hand

Joined: Feb 20, 2001
Posts: 580
Actually, he was dead on. In the ResultSet class, there is no hasNext() method. The next() method returns a boolean to indicate that it actually DID move the cursor forward (the cursor begins BEFORE the first record in the result set).
Originally posted by Nicholas Cheung:
The condition inside the while loop should be:

rs.next() is a void method, and it just shift the pointers to the record list right with one object, so that you get the next record.
Nick.


James Carman, President<br />Carman Consulting, Inc.
James Carman
Ranch Hand

Joined: Feb 20, 2001
Posts: 580
Try this...
public boolean authenticate( String username, String password )
{
String query="select * from Administrator WHERE aUserName = ? and aPassword = ?";
String finalUser="";
try
{
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
Connection conn = DriverManager.getConnection("jdbc dbc:mcaiymu2", "", "");
PreparedStatement ps = conn.prepareStatement( query );
ps.setString( 1, username == null ? username : username.trim() );
ps.setString( 2, password == null ? password : password.trim() );
ResultSet myResults=ps.executeQuery();
return myResults.next();
}
catch( SQLException sql )
{
return false;
}
}
You can do a number of things with the username and password parameters passed in here. In my example, I merely "trimmed" them. However, you could also toUpperCase() them, if your values are stored in "all caps" in your database. Why do you want to do the comparisons? Why not let your database do a little work? Also, it is generally better to use PreparedStatements when allowing users to enter information that is used to generate SQL queries against your database. It would be easy for a "hacker" to spoof your SQL by entering "username' or ('1' = '1" for their username and "password') or '1' = '1", thereby causing you to generate the SQL...
"select * from Administrator WHERE aUserName = 'username' or ('1' = '1' AND aPassword = 'password') or '1' = '1';
This SQL is ALWAYS true! I wouldn't use LIKE, either. What if the user enters "%" for their username and password?!?!?!?! Again, ALWAYS true.
Originally posted by Taz Coello:
I've created a JSP page that prompts the user to login with user name and password. This is then forwarded to "processLogin.jsp" (below) which uses the authenticate method from "Login.java" class (also below). It kind of works- kind of meaning it lets everyone and anyone login even if their details are not stored in the database!!
can someone read over my code and see why this is happening.
processLogin : -
<%@ page import="java.util.*" %>
<jsp:useBean id="tryTo" class="login.Login" scope="request">
<jsp:setProperty name="tryTo" property="*"/>
</jsp:useBean>
<%
String username = request.getParameter("username");
String password = request.getParameter("password");
if (tryTo.authenticate(username, password)) {
%>
<jsp:forward page="welcome.jsp"/>
<%
} else {
%>
<jsp:forward page="tryAgain.jsp"/>
<%
}
%>
=======================================================================
Login.java : -
package login;
import java.sql.*;
public class Login
{
private String username = "";
private String password = "";
public Login()
{
}
public void setUsername(String username)
{
this.username = username;
}
public void setPassword(String password)
{
this.password = password;
}

public boolean authenticate(String username2,
String password2)
{
String query="select * from Administrator WHERE aUserName LIKE '"+username2+"' AND aPassword LIKE '"+password2+"'";
String aUserName="";
String aPassword="";
String finalUser="";
try
{
Driver drv = (Driver)
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver").newInstance();
Connection conn = DriverManager.getConnection ("jdbc dbc:mcaiymu2", "", "");
Statement stmt = conn.createStatement();
ResultSet myResults=stmt.executeQuery(query);
while(myResults.next())
{
aUserName=myResults.getString("aUserName");
aPassword=myResults.getString("aPassword");
if (username2.equals(aUserName) &&
password2.equals(aPassword))
{
break;
}

}
return true;
}
catch(Exception e)
{
e.printStackTrace();
return false;
}
}
}
============================================================
Also, Does someone know how i can implement session with this?
Taz Coello
Greenhorn

Joined: Feb 26, 2004
Posts: 7
thanx everyone, I finally managed to get it working!
moving on to the shopping cart now - ul be hearing from me soon!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Login Verification