Hello everyone. I'm very new to this and I'm having some problem with the following code. I have a registration page that's working wonderfully, but this seems to be a bit more complicated. I have a small oracle database where usernames and passwords are stored. I'm simply trying to login and match a user to a password, but I'm having issues. Can anyone help me out by looking at the following code.
I've been working on it for a few hours, but I'm not even sure if I'm heading in the right direction. I'm getting syntax errors on my connection strings and my query string. I'm trying to follow the same process I used to create a registration page I made, which the logic that I would get the parameters from the form fields and then pull the username from the DB based on that form field and match to the password. Doesn't seem to be working out, is this heading in the right direction?
You told you are getting syntax errors, did you overcome that?
matt ara wrote:The logic that I would get the parameters from the form fields and then pull the username from the DB based on that form field and match to the password. Doesn't seem to be working out, is this heading in the right direction?
Yes, you are in the right direction. What have you done to debug this? Are the username/password been passed correctly to servlet, is the SQL query returning correctly.
You can just use SQL query like and see whether it retuns atleast 1 row, if yes, then user authentication is successful, why retrieve all the rows in table and do a compare operation?
matt ara wrote:I modified my code to work with the JSP, and it just keeps kicking me out saying User Invalid when I know those users/pass are in the DB.
What changes you did in JSP? Did you put the business logic/java code inside JSP? If yes, definitely you are heading in wrong direction, revert them back and use servlet and post here any questions/doubts you have...
SCJP 5 (93%)
Joined: Mar 03, 2012
Sorry I don't understand what you're asking. Your query modified works on the database side, but I'm not sure how you would want me to integrate it into my code to see if I can get a row?
Its working for you or are you are facing any problems?
Joined: Mar 03, 2012
Still having issues, even with the modified SQL. The Servlet runs, but gives me "not a valid user." I'm not sure where my code is wrong, but I believe I am making a connection to my db because I've applied the similar code/logic here from my registration, and users/passes are going from my registration JSP to my database.
Prasad Krishnegowda wrote:POST is noway more secure than GET.
It absolutely is. For example, URLs -which include GET parameters- are written to log files. You wouldn't want that to include your login info. Passwords should also only ever be sent via HTTPS, not HTTP.
Victor M. Pereira
Joined: Mar 02, 2012
They are. For example if Amazon did a Get with your password. Wouldn't your son or wife see it on explorer bar. And suddenly your son would appear with a new TV saying he won it in a BINGO.
And for the other part that's the reason of DD. In the DD by setting it you can start using SSL. And configure a lot of other important that have to do with authentication, authorization, confidentiality and data integrity. BTW, the other 3 methods for the <auth-method> tag are: BASIC, DIGEST and CLIENT-CERT.
If you want to learn more about this, I recommend the chapter of security in the Head First Servlets and JSP.
I'll disagree with Tim on a minor point. POST is no more secure than GET. It just doesn't show params on the URL. That extra level of "security" is a blip and is really no security at all.
The choice of method should be dictated by what the request is doing, not any supposed security concerns.
Using SSL is good, but Tim is correct in that there are other things that need to be done. Protecting against SQL injection is one of them.
Joined: Sep 21, 2011
Bear Bibeault wrote:POST is no more secure than GET. It just doesn't show params on the URL. That extra level of "security" is a blip and is really no security at all.
Maybe we operate in different environments with different security requirements. The prospect of passwords being captured in log files is an absolute no-go in my world.
Joined: Mar 03, 2012
Thanks for the help, and I'm not too concerned at all about security, just that it works for now. I have been able to get the login page to work successfully, so thanks all for the help. Not sure if I should post the code, but in the end I found that my SQL query wasn't right and also, the parameters from the JSP forms weren't passing properly to the servlet. After I solved those two problems, things are working now.