-1

This code has an insert record in mysql table, but I want to compare jsp/html textboxes String with mysql column which is already existed like a login. This is page to login

Two things I have know

  1. To change mysql query
  2. Compare input string with mysql column data How can I do this?

NewServlet.java

         public class NewServlet1 extends HttpServlet {
         protected void processRequest(HttpServletRequest request, HttpServletResponse response)
         throws ServletException, IOException {
         response.setContentType("text/html;charset=UTF-8");
         PrintWriter out = response.getWriter();

        String name=request.getParameter("username");
        String abc=request.getParameter("password");

        aaaa c1=new aaaa();

        try{

          String Sql="Select * from login where username='"+name+"' AND password='"+abc+"'";

          c1.st.executeUpdate(Sql);   
        }
         catch(SQLException ex)
         {

         out.println(ex);

         }

         try {

        out.println("<html>");
        out.println("<head>");
        out.println("<title>Servlet NewServlet1</title>");            
        out.println("</head>");
        out.println("<body>");
        out.println("<h1>Servlet NewServlet1 at " + request.getContextPath() + "</h1>");
        out.println("</body>");
        out.println("</html>");
    } finally {            
        out.close();
     }
   }

aaaa.java//comment this class is for database connection//

            public class aaaa {

            Connection c1 = null;
            Statement st = null;
            ResultSet rs = null;
            aaaa(){
            try {
            Class.forName("com.mysql.jdbc.Driver");
            c1 = (Connection) DriverManager.getConnection("jdbc:mysql://localhost:3306/teacher","root", "abcde");

            } 
            catch (Exception cnfe) {
               System.out.println("Couldn't find the driver!");
               System.out.println("Couldn't connect: print out a stack trace and exit.");
               System.out.println("We got an exception while creating a statement:" + "that probably means we're no longer connected.");
               }
            try {
                st = (Statement) c1.createStatement();
                System.out.println("Statement Created Successfully");
              } catch (SQLException se) {
                System.out.println("We got an exception while creating a statement:" + "that probably means we're no longer connected.");
                se.printStackTrace();
            }
            if (c1 != null) {
               System. out.println("Hooray! We connected to the database!");
            } else {
                System.out.println("We should never get here.");
             }
           }
        }
Rajpoot Rajpoot
  • 11
  • 1
  • 6
  • 1
    you are vulnerable to [sql injection attacks](http://bobby-tables.com) – Marc B Jul 25 '16 at 21:13
  • Why you don't try to improve my code i'm new in java learning my code is inserting data in table but i want to compare existing data of table from input string like username or password – Rajpoot Rajpoot Jul 25 '16 at 21:17
  • 1
    Because you have to do your homework first. Learn SQL, there is a lot of tutorials available (e.g. free course at [Code School](https://www.codeschool.com/courses/try-sql)) - particularly, learn the `SELECT` command, and its `WHERE` clause. SO is not here to teach you the basics. – Jozef Chocholacek Jul 26 '16 at 06:47
  • u actually don't know java and mysql if u know that then u really correct my code jozef i have correct mysql query but how can i compare input String from database all my code is here. – Rajpoot Rajpoot Jul 26 '16 at 06:55

1 Answers1

0

Your sql string code:

String Sql="Select * from login where username='"+name+"' AND password='"+abc+"'";

is vulnerable to sql injection. Suppose a user inputted something like a username that exists in your database followed by the comment character for the username, the application will authorize the user, so you are vulnerable. Some crazy hackers could even delete your login table with the same technique and your application will be down.

**Remedy for sql injection: ** Use prepared statements to parse your inputs. See: How to use prepared statement for select query in Java?

Now coming to the answer to your question, you can pass the user input to the query (with prepared statement) and check if a result exists from using the result set has next function (something like that!); if it does then authorize the user else do nothing.

Community
  • 1
  • 1
cdaiga
  • 4,861
  • 3
  • 22
  • 42
  • How to compare String with mysql table record java? – Rajpoot Rajpoot Jul 26 '16 at 07:53
  • I already gave the answer. I don't use raw servlets, you do. Get the users input from the front end and pass it to the method that does the authorization. If you are interested in getting the user name and password from the query the go ahead getting them from the resultset. Once you have them, you can use java String's equals or equalIgnoreCase method to compare the strings. – cdaiga Jul 26 '16 at 09:43
  • I was talking about this getting the user name and password from the query the go ahead getting them from the resultset. Once you have them, you can use java String's equals or equalIgnoreCase method to compare the strings. – cdaiga – Rajpoot Rajpoot Jul 26 '16 at 20:17