Negru Ionut Valentin wrote:what I'm doing wrong ...
First and foremost you are putting Java code in a JSP. This is a bad practice that has been discredited for almost 10 years now. you should be putting any processing code in a servlet, bean or filter, and use JSP only for building the HTML display. Dynamic elements in the display are created using JSTL and EL, and not with Java scriptlets or scriptlet expressions.
And, the filter itself shouldn't do any DB access. A filter is part of the controller. DB access should be part of the model.
Familiarize yourself with MVC. Perhaps this article will help get you started on the right foot.
However beyond what Bear said, there are numerous problems in that code.
(1) You generate a lot of HTML, and then you decide to redirect to another page. Bad design. You should decide where you're going to go first, and only after that should you start generating HTML. If you generate too much HTML before you decide you actually want to generate something else, you're going to get an error message. Of course if you had that code in a servlet, that problem wouldn't have arisen.
(2) You are selecting the entire table when checking for a user. It would be far more effective to just look for the single record for that user. (I suggest a WHERE clause.) If it's there, and the password matches, the user is OK. Otherwise, not.
(3) You are storing the passwords in your database table in plain-text. This is a security flaw, since anybody can look in the database and find a user's password. Passwords should be hashed before they are stored in a database.
Negru Ionut Valentin wrote:I changed the code for the query into ResultSet rs=st.executeQuery("SELECT uId,password FROM userprofile WHERE uID='"+user+"' AND password='"+pass+"'"); and now it seems to work fine :D .. it seems this was the problem ... thanks Paul ...
"Seems to" is the key phrase there; continuing on with the list of problems:
(4) You wrote your query in a way which is open to SQL injection attacks. It will also encounter problems if the user ID or passwords contains characters which are punctuation in SQL, like quotes. (That's the "O'Brien" problem.) You should use a PreparedStatement with bind variables so that the database driver can take care of those issues.
Negru Ionut Valentin wrote:For now i don't really worry about security because it is only used by me and only for learning
Fair enough, but that was why I pointed out all of those problems -- to help you in learning how to do things properly. You might be surprised how many companies are running code which contain those very same problems, because they hired people who imagined they knew how to do things properly but really didn't.