Michael Portman

Ranch Hand
+ Follow
since Jul 24, 2017
Cows and Likes
Cows
Total received
0
In last 30 days
0
Total given
0
Likes
Total received
0
Received in last 30 days
0
Total given
0
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Michael Portman

Dave Tolls wrote:Take us through this a step at a time.
Where is the project that you are compiling?
How are you compiling it (command line etc)?
Where does the compiled class file end up?
What steps do you take to deploy this and restart the server?

That's just a start.

Also, is there any old copy of the original java file around?
If so, where?



it's being compiled in my web-inf/classes folder
I'm compiling using command line, i dont use the IDEs. (i think they're overly complicated)
The compiled class goes into the same folder as the source code (i know I shouldnt be doing this as its bad practice)
I compile, restart the server. It's always worked like thid for many projects up until now.

2 years ago

Paul Clapham wrote:What is it that makes you think the compiler is somehow looking at the nonexistent code? Have you eliminated other possibilities, such as that you haven't successfully deployed the result of the compilation?



Theres no other index java files in the directory and its not been deployed yet. Doesn't matter ill go elsewhere for help. Thank anyway.
2 years ago
Hi.

I'm developing a site in Java/JSP. My main servlet is /index. I've made some heavy modifications to it and the compiler is trying to compile the old code I wrote instead of the new code. This only happens with the index.class servlet, all the other servlets and beans compile with their new code but not /index.class!

I'm developing my site the good old fashioned way by, design the JSP template in dreamweaver, and im coding my java dreamweaver too. I'm not that interested in 'auto-complete' code like eclipse, netbeans, and intelliJ offer.

And use I use command prompt to compile my java code.

I've built it all up my self and it works perfectly!

It's this naggling issue that wont go away!! I cant deploy my site till in the new code for the index.class is compiled.

Is this some sort of caching issue?

Any ideas greatly appreciated. Man thanks!!
2 years ago

Paul Clapham wrote:

Michael Portman wrote:Preventing a SQL attack is the least of my worries while my site isnt live yet. Getting the user login system working is my main priority atm.



"I know this is wrong, but I'll fix it later."

Problem is, there's always more important things to do later -- until the security breach happens. Really, just use a PreparedStatement. It's not like it's any harder than using a Statement, in fact it's easier because you don't have to mess with getting the single-quotes and double-quotes right.



Ok. I've got a MySQL.class file which handles all of my SQL queries, How can implement what are your suggestion into this:



As you can see I wouldnt know what queries went getting passed into the mysql.class if you know what I mean?
3 years ago

Paul Clapham wrote:

Michael Portman wrote:I'm little confused over these preparedStatements are talking about. Couldn't I just escape all of my string which go into  DB with replaceAll()/replace(), or maybe even use Regex?



Here's the tutorial: Using Prepared Statements

As for doing something yourself to avoid SQL injection attacks: if you were a better programmer and experienced in the art of SQL injection attacks, that might be a possibility. But why go to all that work when you can just use a PreparedStatement?

(And as for escaping things, that's one of the tasks of PreparedStatement. You haven't written the code to escape quotes in the user name, anyway. But that code would be dependent on what database you were using, which is another reason to let PreparedStatement do it for you.)



Preventing a SQL attack is the least of my worries while my site isnt live yet. Getting the user login system working is my main priority atm.
3 years ago
My Session.java code definitely works cos ive just tested ALL of it's methods and not one of them dont work in the numerous test servlets ive done..
3 years ago
Ok, ive done all of the of the modifications and I still cant login. Let me give you ALL the code involved...

index.java [Servlet]



FormController.java [Servlet]



Session.java API/Wrapper [bean/Java File]



Login.java [bean/Java File]



They're all the Java files responsible for logging in the user. If you take note on line 70 it reDirects back to the index servlet with a true GET var. When I try to login I get with the var appended onto the index servlet once ive been redriected. So login is returning true with no session data is being set, thats where the problem is!! Any ideas?
3 years ago

Paul Clapham wrote:

Michael Portman wrote:Can everybody agree this is the correct way of doing things? Cheers.



Not for a real application that's going into production for real users, no. If you're just trying to learn Java web apps then I guess it's okay, but for a real application you should use a PreparedStatement to access the database; building SQL using string concatenations allows SQL injection attacks to corrupt or damage the database. At least you're not storing plain-text passwords in the database, gotta give you credit for that.

Here's another quibble:



When you see Java code like "if (booleanValue) variable = true; else variable = false;" you can replace that code by "variable = booleanValue".



OK ill make the change. I'm little confused over these preparedStatements are talking about. Couldn't I just escape all of my string which go into  DB with replaceAll()/replace(), or maybe even use Regex?
3 years ago
Ok ive redone things for the Login.class



Can everybody agree this is the correct way of doing things? Cheers.
3 years ago

Dave Tolls wrote:No.
You user the query I gave you above.
You only want to find a user who matches both the username and password given.

So the query needs to have a WHERE clause with that AND in it.
That's how all login methods work.



For all these years ive been doing it incorrectly however its always worked for me lol. I'd like to do it your way. Could you give me the exact query that i'd need to use to check for both username and password? Many thanks
3 years ago
But shouldnt I be using isPassword() to check if the passwords match tho?
3 years ago
I have these two methods in my Login.class



One is to check if the user exists and if the passwords match, if they both check out I get the userId corresponding from the DB and set it as a session var, which a few other session vars. The problem ive got is the session vars aren't being created by the Session.class. Which I know works perfectly in different scenarios! My head really is up the wall here
3 years ago
I've created a new method in Login.class, code as follows:



Would it be better to use that? and get rid of isPssword() But wont I need isPassword() is chech if passwords match?
3 years ago

Dave Tolls wrote:OK, looking at that Login class.

The use of that MySQL class seems to imply you are not using a connection pool, which is generally not a good idea with a webapp.  Depending on how many concurrent users you are likely to have you may find yourself running out of connections.
I'm going to treat the Login class like a DAO (Data Access Object), since that seems to be what it is.
So, when interacting with the database using JDBC in a webapp you'll generally see the following structure in a method:

You need those try-with-resources blocks to ensure the resources (the result set, statement and connection) are closed, otherwise you are going to run out.

The getConnection() call simply hides whatever mechanism you are using to get a connection...as I say above, it should be using a connection pool.

So that's the basic structure you will have in your db interaction method(s).

For the Login, it's a single query:

If that returns a row then the user is valid, otherwise it is not.

So, I would expect a single method on your Login class, called getUser(String name, String password), which returns a User containing whatever data you need.

Hope that's not too much of an overload!




Many thanks the advice, But im not usre whether mysql is the main issue here, I think the the session data isnt getting set in any of the java code, more specifically the Login bean. I know for a fact the Session Wrapper works cos i created some test servlets using my Session API and every method of the Session.class works perfectly. I'm just totally confused as it wont work here!!!
3 years ago
maybe put the hashmap inside in the doPost method?
3 years ago