File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JSP and the fly likes Login JSP page using mysql(DB) Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Login JSP page using mysql(DB)" Watch "Login JSP page using mysql(DB)" New topic
Author

Login JSP page using mysql(DB)

Negru Ionut Valentin
Greenhorn

Joined: Mar 04, 2009
Posts: 21
So I made an JSP page to login. The problem is that it's not working 100%(for example i have an user 'asd' with pass 'asd' and it works, but for any other user i add it won't work it will redirect only to the error page, so only for that user it works ... what I'm doing wrong and why for that one it works and for others it won't work ? ).

login.jsp


welcome.jsp


error.jsp
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60794
    
  65

Negru Ionut Valentin wrote:what I'm doing wrong ...

First and foremost you are putting Java code in a JSP. This is a bad practice that has been discredited for almost 10 years now. You should be putting any processing code in a servlet, bean or filter, and use JSP only for building the HTML display. Dynamic elements in the display are created using JSTL and EL, and not with Java scriptlets or scriptlet expressions.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Negru Ionut Valentin
Greenhorn

Joined: Mar 04, 2009
Posts: 21
So i should put the code from the login.jsp that deals with the connection with the db and checking that user and password match into an servlet ?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60794
    
  65

More likely a filter. You need to perform this check on every request except the login page, right?

And, the filter itself shouldn't do any DB access. A filter is part of the controller. DB access should be part of the model.

Familiarize yourself with MVC. Perhaps this article will help get you started on the right foot.
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18541
    
    8

As for your Java code which is buried inside that HTML: you redirect to the error page if you find any record which doesn't match the user ID and password entered. So only the first user in the table can sign on.

However beyond what Bear said, there are numerous problems in that code.

(1) You generate a lot of HTML, and then you decide to redirect to another page. Bad design. You should decide where you're going to go first, and only after that should you start generating HTML. If you generate too much HTML before you decide you actually want to generate something else, you're going to get an error message. Of course if you had that code in a servlet, that problem wouldn't have arisen.

(2) You are selecting the entire table when checking for a user. It would be far more effective to just look for the single record for that user. (I suggest a WHERE clause.) If it's there, and the password matches, the user is OK. Otherwise, not.

(3) You are storing the passwords in your database table in plain-text. This is a security flaw, since anybody can look in the database and find a user's password. Passwords should be hashed before they are stored in a database.
Negru Ionut Valentin
Greenhorn

Joined: Mar 04, 2009
Posts: 21
I changed the code for the query into ResultSet rs=st.executeQuery("SELECT uId,password FROM userprofile WHERE uID='"+user+"' AND password='"+pass+"'"); and now it seems to work fine :D .. it seems this was the problem ... thanks Paul ...
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60794
    
  65

I hope you don't think that just because that part is working that your problems are solved.
Negru Ionut Valentin
Greenhorn

Joined: Mar 04, 2009
Posts: 21
No ... but i simple wasn't understanding why it only works for the first one ... I'm still in the learning process, but I will definitely try to implement all you guys pointed as to be wrong with my code :)
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18541
    
    8

Negru Ionut Valentin wrote:I changed the code for the query into ResultSet rs=st.executeQuery("SELECT uId,password FROM userprofile WHERE uID='"+user+"' AND password='"+pass+"'"); and now it seems to work fine :D .. it seems this was the problem ... thanks Paul ...


"Seems to" is the key phrase there; continuing on with the list of problems:

(4) You wrote your query in a way which is open to SQL injection attacks. It will also encounter problems if the user ID or passwords contains characters which are punctuation in SQL, like quotes. (That's the "O'Brien" problem.) You should use a PreparedStatement with bind variables so that the database driver can take care of those issues.
Negru Ionut Valentin
Greenhorn

Joined: Mar 04, 2009
Posts: 21
For now i don't really worry about security because it is only used by me and only for learning :) ... Also for this SQL injection isn't a good idea to use a trim function ? I know I did something like this in PHP and used a trim function to avoid SQL injections ...
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60794
    
  65

trim will be of no use whatsoever. Read Paul's post -- he tells you exactly how you should be writing your JDBC code. The way that you are currently doing doing it is a bad bad practice!
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18541
    
    8

Negru Ionut Valentin wrote:For now i don't really worry about security because it is only used by me and only for learning


Fair enough, but that was why I pointed out all of those problems -- to help you in learning how to do things properly. You might be surprised how many companies are running code which contain those very same problems, because they hired people who imagined they knew how to do things properly but really didn't.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60794
    
  65

And, I'd argue that "it's ok to be sloppy because I'm learning" is not valid. Part of learning is learning how to do it right, not just get it to appear to be working.
Negru Ionut Valentin
Greenhorn

Joined: Mar 04, 2009
Posts: 21
Thank you so much you guys...this is very educative and i will definitely try and keep in mind all of you suggestions :) ...
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60794
    
  65

 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Login JSP page using mysql(DB)
 
Similar Threads
problem in running a servlet
Login JSP if condition and redirecting issue
redirect from external page to tomcat 4 with forms based authentication
JSP login: username and password getting default values
ssl with Tomcat