• Post Reply Bookmark Topic Watch Topic
  • New Topic

in following logincheck.jsp still giving name and password present in database it's giving "wrong "

 
manohar gunturu
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

in following logincheck.jsp still giving name and password present in database it's giving "wrong username and password combination"

please help me developerss!!!




<%@ page contentType="text/html;charset=iso-8859-1" language="java"%>
<%@page import="java.sql.*"%>
<%@page import="java.util.*"%>
<html>

<head>
</head>
<%!String me;
String rd;
%>
<%
String ame=request.getParameter("firstname");
String wrd=request.getParameter("pwd");
Connection conn=null;
ResultSet rs=null;
Statement stmt=null;
String Query="SELECT * from db2admin.ma where name='"+ame+"' and pwrd='"+wrd+"'";

Class.forName("com.ibm.db2.jcc.DB2Driver").newInstance();
conn=DriverManager.getConnection("jdbc:db2://localhost:50000/sample","db2admin","db2admin");

stmt=conn.createStatement();
stmt.executeQuery(Query);
rs=stmt.getResultSet();

while(rs.next()){
me=rs.getString("name");
rd=rs.getString("pwrd");



if((ame=me) && (wrd=rd))

{

out.println("hiii");
}

else
{ out.println("wrong password aand user name combination"); }

}


%>

</html>
 
Matthew Brown
Bartender
Posts: 4568
9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Manohar. Welcome to the Ranch!

I can see a few problems there.

- Firstly, you're using = instead of ==. I'm surprised that compiles at all. Are you sure that's the code you're actually running?
- But since you're comparing strings you shouldn't be using == either. You should be using equals().
- Not that that should be necessary at all. You've already made the comparison in the query. If you found a row at all the password was correct.
- You need to learn about injection attacks, because the way you're building the query isn't safe.
- Finally, you shouldn't be putting Java code in a JSP at all. That's bad practice.
 
manohar gunturu
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Matthew Brown wrote:Hi Manohar. Welcome to the Ranch!

I can see a few problems there.

- Firstly, you're using = instead of ==. I'm surprised that compiles at all. Are you sure that's the code you're actually running?
- But since you're comparing strings you shouldn't be using == either. You should be using equals().
- Not that that should be necessary at all. You've already made the comparison in the query. If you found a row at all the password was correct.
- You need to learn about injection attacks, because the way you're building the query isn't safe.
- Finally, you shouldn't be putting Java code in a JSP at all. That's bad practice.



Thank you sir,
I understand the 1'st two points can you please tell to me about 5th point in brief.
 
Matthew Brown
Bartender
Posts: 4568
9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
manohar gunturu wrote: I understand the 1'st two points can you please tell to me about 5th point in brief.


We've got an FAQ that can explain it better than I can - see https://www.coderanch.com/how-to/java/WhyNotUseScriptlets and the article that it links to.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!