getting different response on second request comparing to first in servlet,DB application

Aug 11, 2013 13:02:56

i have a simple application which takes username and password as input and checks weather this combination is in database or not. At my first request when i gave correct username and password it says "loginsuccess" but when i gave second request it says "login failure" even though i gave correct details. But when i restart my web server and gave a first request(as i did a restart) it again says "login success". but at second request it again a failure statement.

package com.servlets;
import java.io.IOException;
import java.io.PrintWriter;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class LoginDbServlet extends HttpServlet
{
@Override
protected void service(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
String name=req.getParameter("UserName");
String pass=req.getParameter("password");
Boolean loginstatus=userauthentication(name,pass);
PrintWriter out=resp.getWriter();
if(loginstatus)
{
out.println("login success");
}
else
{
out.println("login failure");
}
}
public boolean userauthentication(String name,String pass)
{
try
{
Class.forName("com.mysql.jdbc.Driver");
}
catch (Exception e) {
e.printStackTrace();
}
Connection con=null;
Statement stmt=null;
ResultSet rs=null;
try
{
con=DriverManager.getConnection("jdbc:mysql://localhost/lara");
stmt=con.createStatement();
rs=stmt.executeQuery("select * from lara where username='"+name+"'and password='"+pass+"';");
return rs.next();
}
catch (Exception e) {
e.printStackTrace();
return false;
}
finally
{
try
{
if(rs!=null)
{
rs.close();
rs=null;
}
}
catch (SQLException e)
{
System.out.println(e);
}
try
{
if(con!=null)
{
con.close();
con=null;
}
}
catch (SQLException e)
{
System.out.println(e);
}
try
{
if(stmt!=null)
{
stmt.close();
stmt=null;
}
}
catch (SQLException e)
{
System.out.println(e);
}
}
}
}

Aug 12, 2013 04:47:56

You should process something like:

1) Store database matched values in some variables:
while (rs.next ()){
userName=rs.getString("username");
password=rs.getString("password");
}

2) Compare incoming values against database values:

if ( (userName.equals(name) && (password.equals(pass)){
out.println("login success");
}

Thanks,
Ashwini Kashyap | www.infocepts.com

Aug 12, 2013 06:06:19

Ashwini Kashyap wrote:You should process something like:

1) Store database matched values in some variables:
while (rs.next ()){
userName=rs.getString("username");
password=rs.getString("password");
}

2) Compare incoming values against database values:

if ( (userName.equals(name) && (password.equals(pass)){
out.println("login success");
}

Thanks,
Ashwini Kashyap | www.infocepts.com

this is done in my code. when we execute sql query if the combination is present in the database it will return a table and then rs.next() will return true and then it is the returned to calling method and so loginstatus becomes true and there are if and else statements to do remaining stuff rite, and i think there is no need to compare the incoming values because if the combination is not present in the database specified then the there won't be any table returned. and rs.next() will give a false. correct me if i am wrong.

Aug 12, 2013 06:35:19

I think instead of passing back the response to the calling method, you can directly make use of rs.next() then and there itself in that method as I have pasted (something like that)

Basic intent is to leave no scope of getting that login failure the second time as it works for you the first time.

You may check it description here

Try it out once just to be on safer side.

Thanks,
Ashwini

Aug 12, 2013 08:05:29

I really don't recommend writing your own login code. The J2EE standard security system is far more secure and it was written and debugged over 10 years ago.

However, if you must, it's much better to do a "SELECT COUNT(*) FROM USER WHERE USERID = ? AND PASSWORD = ?" and check for a return value of 0 (failed) , 1 (success), or (just in case) many (which shouldn't happen if you have everything set up properly, but real life can be unkind.

Use a parameterized query like I showed, not a string-built SQL or Bobby's mom will get you (http://xkcd.com/327/).

The reason for doing the SELECT COUNT instead of actually retrieving the user ID/password and comparing them is that it keeps the actual password from being pulled into server RAM where a rogue process might be able to capture it and send it off to the Bad Guys.

Aug 12, 2013 08:49:36

And a one-way hash is recommended for storing the password in the DB so that plain-text passwords exist nowhere in the system once stored.

Aug 12, 2013 09:20:42

Tim Holloway wrote:I really don't recommend writing your own login code. The J2EE standard security system is far more secure and it was written and debugged over 10 years ago.

However, if you must, it's much better to do a "SELECT COUNT(*) FROM USER WHERE USERID = ? AND PASSWORD = ?" and check for a return value of 0 (failed) , 1 (success), or (just in case) many (which shouldn't happen if you have everything set up properly, but real life can be unkind.

Use a parameterized query like I showed, not a string-built SQL or Bobby's mom will get you (http://xkcd.com/327/).

The reason for doing the SELECT COUNT instead of actually retrieving the user ID/password and comparing them is that it keeps the actual password from being pulled into server RAM where a rogue process might be able to capture it and send it off to the Bad Guys.

even i used parameterized query at first attempt i getting a success message and with the same details on second request i am getting failure message and stacktrace in console saying

java.sql.SQLException: ResultSet is from UPDATE. No Data.
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1074)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:988)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:974)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:919)
at com.mysql.jdbc.ResultSetImpl.next(ResultSetImpl.java:6998)
at com.mysql.jdbc.ConnectionImpl.loadServerVariables(ConnectionImpl.java:3945)
at com.mysql.jdbc.ConnectionImpl.initializePropsFromServer(ConnectionImpl.java:3488)
at com.mysql.jdbc.ConnectionImpl.connectOneTryOnly(ConnectionImpl.java:2460)
at com.mysql.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:2230)
at com.mysql.jdbc.ConnectionImpl.<init>(ConnectionImpl.java:813)
at com.mysql.jdbc.JDBC4Connection.<init>(JDBC4Connection.java:47)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:411)
at com.mysql.jdbc.ConnectionImpl.getInstance(ConnectionImpl.java:399)
at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:334)
at java.sql.DriverManager.getConnection(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at com.servlets.LoginDbServlet.userauthentication(LoginDbServlet.java:51)
at com.servlets.LoginDbServlet.service(LoginDbServlet.java:24)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:873)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
at java.lang.Thread.run(Unknown Source)

Aug 12, 2013 09:46:15

Another thing that we recommend is that webapps not attempt to obtain their database connections by brute force. The appserver supports database connection pools, which make much more efficient use of database resources.

Are you sure that this is the actual code you are executing, though? The error message says that the failing SQL was an UPDATE, not a SELECT!

Not so fast naughty spawn! I want you to know about

a bit of art, as a gift, that will fit in a stocking

https://gardener-gift.com