Authenticating the username, password by using filters in Java (contacting with database)

Question

The following is the piece of Java code by using filters that shows the error page at every time if the username and password is also correct. Please help me, I don\'t have

Answer 1

Use a prepared statement, your code is an open invitation for an SQL injection.

Connection con = getMyConnection();
        try {
                //no string concatenation, we use ? instead:
                PreparedStatement ps = con.prepareStatement("select * from reg where username=? and pass=?");
                try {
                        //actual value for parameters are set here:
                        ps.setString(1, user);
                        ps.setString(2, pwd);
                        ResultSet rs = ps.executeQuery();
                        if(rs.next()) {
                                chain.doFilter(request,response);
                        } else {
                                sc.getRequestDispatcher("/error.html").forward(request,response);
                        }

                } finally {
                        ps.close();
                }
        } finally {
                con.close();
        }

Now for your question, please check:

• that the table and column names are the right one (don't you have a 'login' and a 'username' column?)
• that the values are really correct (try the query in sqldevelopper for instance)
• that it works with an ascii-7 password and username (it might be an encoding problem)
• that the password column contains the real password and not a hash of it