Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

getting different response on second request comparing to first in servlet,DB application  RSS feed

 
kiran kumar reddy
Ranch Hand
Posts: 94
Eclipse IDE Java Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i have a simple application which takes username and password as input and checks weather this combination is in database or not. At my first request when i gave correct username and password it says "loginsuccess" but when i gave second request it says "login failure" even though i gave correct details. But when i restart my web server and gave a first request(as i did a restart) it again says "login success". but at second request it again a failure statement.



 
Ashwini Kashyap
Ranch Hand
Posts: 90
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You should process something like:

1) Store database matched values in some variables:
while (rs.next ()){
userName=rs.getString("username");
password=rs.getString("password");
}

2) Compare incoming values against database values:

if ( (userName.equals(name) && (password.equals(pass)){
out.println("login success");
}

Thanks,
Ashwini Kashyap | www.infocepts.com
 
kiran kumar reddy
Ranch Hand
Posts: 94
Eclipse IDE Java Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ashwini Kashyap wrote:You should process something like:

1) Store database matched values in some variables:
while (rs.next ()){
userName=rs.getString("username");
password=rs.getString("password");
}

2) Compare incoming values against database values:

if ( (userName.equals(name) && (password.equals(pass)){
out.println("login success");
}

Thanks,
Ashwini Kashyap | www.infocepts.com


this is done in my code. when we execute sql query if the combination is present in the database it will return a table and then rs.next() will return true and then it is the returned to calling method and so loginstatus becomes true and there are if and else statements to do remaining stuff rite, and i think there is no need to compare the incoming values because if the combination is not present in the database specified then the there won't be any table returned. and rs.next() will give a false. correct me if i am wrong.
 
Ashwini Kashyap
Ranch Hand
Posts: 90
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think instead of passing back the response to the calling method, you can directly make use of rs.next() then and there itself in that method as I have pasted (something like that)

Basic intent is to leave no scope of getting that login failure the second time as it works for you the first time.

You may check it description here

Try it out once just to be on safer side.

Thanks,
Ashwini
 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I really don't recommend writing your own login code. The J2EE standard security system is far more secure and it was written and debugged over 10 years ago.

However, if you must, it's much better to do a "SELECT COUNT(*) FROM USER WHERE USERID = ? AND PASSWORD = ?" and check for a return value of 0 (failed) , 1 (success), or (just in case) many (which shouldn't happen if you have everything set up properly, but real life can be unkind.

Use a parameterized query like I showed, not a string-built SQL or Bobby's mom will get you (http://xkcd.com/327/).

The reason for doing the SELECT COUNT instead of actually retrieving the user ID/password and comparing them is that it keeps the actual password from being pulled into server RAM where a rogue process might be able to capture it and send it off to the Bad Guys.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65830
134
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
And a one-way hash is recommended for storing the password in the DB so that plain-text passwords exist nowhere in the system once stored.
 
kiran kumar reddy
Ranch Hand
Posts: 94
Eclipse IDE Java Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tim Holloway wrote:I really don't recommend writing your own login code. The J2EE standard security system is far more secure and it was written and debugged over 10 years ago.

However, if you must, it's much better to do a "SELECT COUNT(*) FROM USER WHERE USERID = ? AND PASSWORD = ?" and check for a return value of 0 (failed) , 1 (success), or (just in case) many (which shouldn't happen if you have everything set up properly, but real life can be unkind.

Use a parameterized query like I showed, not a string-built SQL or Bobby's mom will get you (http://xkcd.com/327/).

The reason for doing the SELECT COUNT instead of actually retrieving the user ID/password and comparing them is that it keeps the actual password from being pulled into server RAM where a rogue process might be able to capture it and send it off to the Bad Guys.

even i used parameterized query at first attempt i getting a success message and with the same details on second request i am getting failure message and stacktrace in console saying

 
Tim Holloway
Bartender
Posts: 18531
61
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Another thing that we recommend is that webapps not attempt to obtain their database connections by brute force. The appserver supports database connection pools, which make much more efficient use of database resources.

Are you sure that this is the actual code you are executing, though? The error message says that the failing SQL was an UPDATE, not a SELECT!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!