"Yawar Khan" <khanya...@yahoo.com> schrieb:
>thanks felix, very nicely explained!
>
>but do you think that declaring connection and rs variables outside the login
>function is causing the sessions mixup issue?
>
>
Yes. But I think it is not messing with sessions, but rather messing with the
values of your user beans.
Hth
Felix
>
>
>
>________________________________
>From: Felix Schumacher <felix.schumac...@internetallee.de>
>To: Tomcat Users List <users@tomcat.apache.org>
>Sent: Sat, August 21, 2010 4:13:52 PM
>Subject: RE: Sessions mix-up on Tomcat 6.0.26 on Linux
>
>Am Freitag, den 20.08.2010, 21:54 -0700 schrieb Yawar Khan:
>> Chris, you identified a possible sql injection in my code and declaring it a
>> very bad piece of code. Despite the fact that jdbc does not allow more than
>> 1
>> query on this execute function and I am doing fields validation before
>> submission of the form.
>>
>>
>> Is there another genuine threat or bug that you identified and would like to
>> share? Please do, I am sharing the udac source code as well,
>>
>>
>> Wesley you comments are also welcome; somebody also asked that what will
>> happen
>>
>> in case udac.login throws an exception, well exception handling is inside
>> this
>
>> class. Sorry but i missed that email so i am unable to name that gentleman
>> friend.
>>
>> package org.mcb.services;
>>
>> import java.text.*;
>> import java.util.*;
>> import java.sql.*;
>> import javax.servlet.http.HttpSession;
>>
>> public class udac
>> {
>> static Connection currentCon = null;
>> static ResultSet rs = null;
>This seems to be really problematic. Having ResultSet and Connection
>shared by many users is a bad idea.
>
>Imagine what happens when two requests come in at the same time:
>
> Request A Request B
>
> login(beanA)
> |
> currentCon=new Connection()
> | login(beanB)
> | |
> | currentCon=new Connection() # BOOM you are
>overwriting the class wide variable currentCon.
>
>Same thing can happen to rs too. So better place currentCon and rs as
>method variables inside of login.
>
>>
>> public static userbean login(userbean bean) {
>> //preparing some objects for connection
>> Statement stmt = null;
>> String userid = bean.getUserId();
>> String password = bean.getPassword();
>> String epass = null;
>> String name = null;
>> String user_id = null;
>> String role_id = null;
>> String branch_code = null;
>> String last_login = null;
>> String role_desc = null;
>> try{
>> epass = passwordservices.getInstance().encrypt(password);
>> //passwordservices is a class which has functions to ecrypt a
>> string and return back the string.
>> }catch(Exception e){
>> System.out.println(e);
>I find it very useful to use a logging framework for reporting errors.
>And adding information about the state in which the error occured might
>help finding the root cause more easily.
>
>> }
>> String searchQuery = "SELECT a.USER_ID,a.NAME, a.BRANCH_CODE,
>> a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION
>> a,
>>
>> ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ";
>> searchQuery = searchQuery + "AND LOWER(a.USER_ID) = LOWER('"+
>>userid
>>
>> + "') AND a.PASSWORD = '"+epass+"'";
>If your are using prepared Statements with parameters, you don't have to
>worry, if someone has forgotten to check those parameters for
>sql-injection. But you were told so already.
>
>Bye
>Felix
>
>> try{
>> //connect to DB: connectionmanager is a class which contains
>> connection functions
>> currentCon = connectionmanager.scgm_conn();
>> stmt=currentCon.createStatement();
>> rs = stmt.executeQuery(searchQuery);
>> boolean hasdata=false;
>> while(rs.next()) {
>> hasdata=true;
>> name = rs.getString("NAME");
>> user_id = rs.getString("USER_ID");
>> branch_code = rs.getString("BRANCH_CODE");
>> role_id = rs.getString("ROLE_ID");
>> last_login = rs.getString("LAST_LOGIN_DATE");
>> role_desc = rs.getString("ROLE_DESC");
>> bean.setName(name);
>> bean.setUserId(user_id);
>> bean.setBranch(branch_code);
>> bean.setRole(role_id);
>> bean.setLastLogin(last_login);
>> bean.setRoleDesc(role_desc);
>> bean.setValid(true);
>> }
>> if(!hasdata) {
>> System.out.println("Sorry, you are not a registered user!
>> Please sign up first "+ searchQuery);
>> bean.setValid(false);
>> }
>> }catch (Exception ex){
>> System.out.println("Log In failed: An Exception has occurred! "
>>+
>
>> ex);
>> }
>> //some exception handling
>> finally{
>> if (rs != null) {
>> try {
>> rs.close();
>> } catch (Exception e) {}
>> rs = null;
>> }
>>
>> if (stmt != null) {
>> try {
>> stmt.close();
>> } catch (Exception e) {}
>> stmt = null;
>> }
>>
>> if (currentCon != null) {
>> try {
>> currentCon.close();
>> } catch (Exception e) {
>> }
>>
>> currentCon = null;
>> }
>> }
>> return bean;
>>
>> }
>> }
>>
>> ysk
>> -----Original Message-----
>> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
>> Sent: Friday, August 20, 2010 3:43 AM
>> To: Tomcat Users List
>> Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Wesley,
>>
>> On 8/19/2010 5:04 PM, Wesley Acheson wrote:
>> > Maybe its just be but I still don't see where uadc is declared or even
>> > imported.
>>
>> ...or even used.
>>
>> I'm guessing that the bad code exists outside of this login servlet.
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAkxts1YACgkQ9CaO5/Lv0PBitwCeMXvEXLi1L9rnLmTVP4nofIGH
>> NkAAnj9DTqFLwLAYxb2MQuI6v6ckVcYm
>> =DR0I
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org