0

this code shud check login credentials and forward either to logged in page for admin when getParameter(7)=1 or to customer when it is 0.. if login credentials are not correct it will go to error messages and fromt her to login page again.. but somehow it is directly going to errorpage in else case if its not admin!! next two cases are not being checked at all!!

protected void doPost(HttpServletRequest request, HttpServletResponse response) throws     ServletException, IOException {
    try
    {
    Class.forName("com.mysql.jdbc.Driver");
    Connection con =      DriverManager.getConnection("jdbc:mysql://localhost:3306/mutualfund", "root", "");
    Statement stmt = con.createStatement();
    ResultSet result = stmt.executeQuery("SELECT * FROM login_table;");
    String uname= request.getParameter("username");
    String pass= request.getParameter("password");

    while(result.next())
    {
        if(result.getString(1).equals(uname) && result.getString(2).equals(pass))
                {
                 if(result.getBoolean(7)==true)
                 {
                       response.sendRedirect("displayFunds.jsp");
                 }
                 if((result.getBoolean(7)==false) && (result.getString(4).equals("")))
                 {
                     response.sendRedirect("changePassword.jsp?name="+uname+"&&pass="+pass);

                 }
                 if((result.getBoolean(7)==false) &&     (!result.getString(4).equals("")))
                 {
                     response.sendRedirect("custProfile.jsp");
                 }
                }
        else 
        {


                response.sendRedirect("loginFailed.jsp");  
        }

    }
    }
    catch (Exception ex) {
        Logger.getLogger(Admin.class.getName()).log(Level.SEVERE, null, ex);
    }

}
}
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
APPU cool
  • 45
  • 1
  • 3
  • 9
  • You should first remove the "==true" and "==false" pieces of code. If something is true you don't need to ensure that is really true by comparing again with true value. – br araujo Jun 12 '13 at 18:01

1 Answers1

1

You're not returning from the method, but continuing to iterate through the while loop. You seem to expect that a simple method call response.sendRedirect() magically aborts the whole while loop and returns from the method. It doesn't do that. The code just continues the loop, checking the next user and setting the redirect URL, hereby overriding the previous one.

You need to return from the method yourself.

response.sendRedirect(someURL);
return;

Your concrete problem is caused because your login doesn't match the last user entry in the DB.

Unrelated to the concrete problem, this approach is however terribly inefficient. You're not taking benefit of the powers of a relational database and instead copying the entire DB table into Java's memory and performing the comparison in Java. You should be writing SQL queries in such way that it returns exactly the information you need. In this particular case, you should be using the SQL WHERE clause instead (in a prepared statement!), so that the resultset contains exactly zero or one row.

if (resultSet.next()) {
    // Login OK!
} else {
    // Login fail!
}

Further, your code is also leaking DB resources by never closing them. You should be closing them in finally. Also, loading the JDBC driver on every HTTP request is unnecessary. Just load it once during webapp's/servlet's startup.

See also:

Community
  • 1
  • 1
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • thanks :) changed it to where clause and yes i realized its unnecessary iteration!!!.. Can u look at the login page again and gimme some idea of how to ask security questions incase of 3 unsuccessful logins???! – APPU cool Jun 13 '13 at 12:17
  • Just add a column wherein you count the failed login attempts of the given username. – BalusC Jun 13 '13 at 12:19
  • i tried that.. but the mentor who is checking my proj told not to put another column in db for unsuccessful attempts... is ther any way around with sessions? – APPU cool Jun 13 '13 at 12:25
  • m not familiar with sessions.. i'll post you link to other question wher i mentioned this prob.. can u see – APPU cool Jun 13 '13 at 12:25
  • http://stackoverflow.com/questions/17087000/creating-sessions-for-my-login-page-and-counting-number-of-unsuccessful-login – APPU cool Jun 13 '13 at 12:27