Bob, I'm not using the login methodology listed in the emails below, I have a more secure means of doing my user logins. But you've got me curious as to whether you have found a loophole. What happens if you do use the login you have listed below, and what database's is this "loophole" applicable to?
Celeste -----Original Message----- From: Bob V� [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 9:43 AM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... For those of you who use this method of login authentication, use the following username/password in your login page when you're done coding and see what happens: UserName: x' or 1=1-- Password: x >From: Chris Tucker <[EMAIL PROTECTED]> >Reply-To: A mailing list about Java Server Pages specification and >reference <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Re: Login Authentication against database... >Date: Wed, 14 Nov 2001 11:29:59 -0800 > >MessageYou shouldn't need to do any comparisons at all in your code. Use: > >String sqlStr = "SELECT * FROM SAMM.UsersLogin WHERE LOWER(UserLoginId) = >LOWER('"+username+"') AND UserPassword = '"+password+"'"; >stmt = myConn.createStatement(); >myResultSet = stmt.executeQuery(sqlStr); >if( myResultSet.next() ) { > // we have a valid user! >} >else { > // we don't have a valid user! >} > >And make sure you catch and log any SQLExceptions that may occur, as >they'll >help you out no end in debugging... > -----Original Message----- > From: A mailing list about Java Server Pages specification and reference >[mailto:[EMAIL PROTECTED]]On Behalf Of Praveen Potineni > Sent: Wednesday, November 14, 2001 11:20 AM > To: [EMAIL PROTECTED] > Subject: Re: Login Authentication against database... > > > That's exactly what i did. I got only one record and test if the user >exist. Else it goes to login screen. > But i still get the same error. Well i figured that i'm getting problem >comparing the 2 strings... > string coming out of database and the string entered by user. Can u >check >the code and suggest me on this... > Thanks in advance > Praveen > > String sqlStr = "SELECT * FROM SAMM.UsersLogin WHERE UserLoginId = >'"+username+"' AND UserPassword = '"+password+"'"; > stmt = myConn.createStatement(); > myResultSet = stmt.executeQuery(sqlStr); > if(myResultSet.next() == false) > { > log("resulset is null."); > } > else{ > log("resultset is true"); > > String uid = myResultSet.getString("UserLoginId"); > String upin = myResultSet.getString("UserPassword"); > > if ((username.equalsIgnoreCase(uid)) && >(password.equalsIgnoreCase(upin))){ > validUser = "true"; > } > else{ > validUser = "false"; > } > log("validUser is : " +validUser); > } > myResultSet.close(); > stmt.close(); > } > catch(SQLException sqle){ > //System.out.println("User Does not exist Exception: >+sqle.toString()"); > //log("DBObject.validUserExists: Exception: "+sqle.toString()); > } > return validUser; > } > ----- Original Message ----- > From: Joe Cheng > To: [EMAIL PROTECTED] > Sent: Wednesday, November 14, 2001 1:45 PM > Subject: Re: Login Authentication against database... > > > Praveen- > > It looks like your query is retrieving the whole set of users and then >iterating in Java to see if any of them match the username/password the >user >entered. Why would you do that, rather than simply: > > SELECT * FROM users WHERE username = '<username entered by user>' AND >password = '<password entered by user>'; > > and see if any rows are returned. If there are no rows, the username >and/or password was wrong. This way you don't have to deal with so much >data, making it potentially much faster and less memory intensive. > > -jmc _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com ==========================================================================To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
