I am implementing a simple login example and having some difficulty redirecting to the success page if the username and password match with those in my database.
When I press submit I get a blank page. Would appreciate any thoughts.
UserBean.java and ConnectionManager.java are also in the ExamplePackage
1. In UserLogged.jsp, in the page directive, you don't need the "language" attribute. The only possible value for this is "java", so it's redundant to include it. This was included to allow for languages other than Java to be used in JSP files, but so far only Java is supported.
2. You should avoid using scriptlets in JSP files. In UserLogged, you should use the useBean and getProperty standard actions instead:
3. In UserDao.java, you should use PreparedStatement instead of Statement to execute the database query. This helps prevent SQL Injection attacks, which your code is vulnerable to. What do you think would happen if the user's password had a single quote in it?
Michael Angstadt wrote:you should use the useBean and getProperty standard actions instead:
Better yet, use the EL. The getProperty action is clunky and outdated for emitted dynamic values.
But absolutely: scriptlets have been discredited for over 8 years now. There is no excuse or reason for placing then into newly written JSP pages.
Joined: Jul 19, 2010
Thanks for the comments. This is my first attempt at a web application so it is all new to me but trying to learn as much as possible. I have a few further questions if you wouldn't mind.
I have my page layout sorted with header and footer jspfs for each and am able to log a user if I insert them into my database so I want to implement a create user function next.
1) From some research one of the ways to implement this would be to create a controller servlet which handles requests from the client. Would I have two methods in this servlet doGet(...) and doPost(...) which handle incoming requests according to the userPath (i.e. - request.getServletPath();) and then call methods based on what the request is and then redirect the user to the correct page? Is this an acceptable way to do it? Any other comments on this would also be welcome baring in mind I would like to avoid frameworks for the moment.
2) With the create user method itself what would be the best way of implementing it...(may be a question for another part of the forum)
that would be in my UserDao...if someone could clarify the process from the client request to create a user it would help me out as im getting a little confused as to how the information is passed end to end mainly the Beans part.
Please bear with me I have been learning Java for less than a year and did no programming prior to that. Having said that this forum is one of the best resources I have come across.
James Haville wrote:2) With the create user method itself what would be the best way of implementing it
You have a good start. For the SQL that you pass into prepareStatement(), use question marks to denote where a parameter should go. If a parameter is a string, you don't need to put single quotes around the question mark, JDBC handles this for you. For example:
James Haville wrote:if someone could clarify the process from the client request to create a user it would help me out as im getting a little confused as to how the information is passed end to end mainly the Beans part.
You would just create a HTML form with the proper fields (first name, etc), then pull those parameters out in your servlet and pass them in your UserDao.