Aaargh. Why won't this thread die!! :) All you need to know is... use PreparedStatement (or properly escape your string values) and there is NO WAY the user can slip in SQL commands.
NO WAY at all. If you don't believe me, just try it yourself. (unless there is a bug in the particular JDBC driver you're using, as someone previously asserted in this thread... but it seems pretty darned unlikely.) So, you don't need to do all this elaborate multi-stage authentication. Just do a single PreparedStatement, with "username = ? AND password = ?" and you're done. It is fully secure. -jmc =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
