 |
| JSP Basics Beginning-level questions on JSP. More advanced coders should post to Pro JSP. |
Welcome to the p2p.wrox.com Forums.
You are currently viewing the JSP Basics section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
|
|
|
|

February 5th, 2009, 04:15 AM
|
|
Registered User
|
|
Join Date: Jan 2009
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
registration and login problem in jsp
hi everyone!
i am creating a form from where user can register and then can login afterword.
to registration i created following block:
Code:
<%
String username = request.getParameter("username");
String password = request.getParameter("password");
String passwordconfirm = request.getParameter("passwordconfirm");
String email = request.getParameter("email");
String emailconfirm = request.getParameter("emailconfirm");
String connectionURL = "jdbc:mysql://localhost:3306/new";
Connection connection = null;
PreparedStatement pstatement = null;
Class.forName("com.mysql.jdbc.Driver").newInstance();
int updateQuery = 0;
if(username!=null && password!=null && email!=null){
if(username !="" && password !="" && email !="") {
if(password==passwordconfirm && email==emailconfirm){
try {
connection = DriverManager.getConnection(connectionURL, "root", "anthony111");
String queryString = "INSERT INTO reg(username,password,email) VALUES (?, ?, ?)";
pstatement = connection.prepareStatement(queryString);
pstatement.setString(1, username);
pstatement.setString(2, password);
pstatement.setString(3, email);
updateQuery = pstatement.executeUpdate();
if (updateQuery != 0) { %>
Thank you for registering. An email has been dispatched to your email address with details on how to activate your account.
<% }
}
catch (Exception ex) {
out.println("Unable to connect to batabase.");
}
finally {
// close all the connections.
pstatement.close();
connection.close();
}
}
else
{%>
registration not completed! try again!
<%}
}
else{%>registration not completed! try again!
<%}
}
else{%> registration not completed! try again!
<%}
%>
it is not working fine.
what is wrong with it.
please help.
Last edited by anthony111; February 5th, 2009 at 04:55 AM..
|
|

February 5th, 2009, 07:42 PM
|
|
Friend of Wrox
|
|
Join Date: Jun 2008
Posts: 1,649
Thanks: 3
Thanked 141 Times in 140 Posts
|
|
Ummm..."is not working fine" could mean that you don't have Java installed on that computer.
Yes, I know that's extreme, but the point is that you haven't told us *HOW* it is not working. You didn't tell us if you got an error message. Etc., etc.
Help us to help you by being *EXPLICIT*.
I see several possible problems there. Just to take *ONE* example:
You do
Code:
catch (Exception ex) {
out.println("Unable to connect to batabase.");
}
But that may not be true, at all! You might be having a problem with the prepared statement or with the update. Might have nothing to do with the connection, per se.
So *AT A MINIMUM*, I always recommend (at least during debug time) showing the actual exception. Perhaps as simply as
Code:
catch (Exception ex) {
out.println("Unable to connect to batabase.<p>Exception: " + ex.toString() + "<hr>" );
}
Anyway, more details.
|
|

February 6th, 2009, 03:59 AM
|
|
Registered User
|
|
Join Date: Jan 2009
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
sorry
the code given above is to insert a user info provided in previous page into database.
it runs without any error but only to give
Registration not complete! try again!
that i have used in condition if the information is not complete i.e.
any field is blank or the email provided in email and confirm email does not match
or if the two password fields password and confirm password do not match.
please help.
|
|

February 6th, 2009, 05:26 AM
|
|
|
Try with String.equals method
like
Code:
email.equals(emailconfirm)
returns true if matches
|
|

February 6th, 2009, 06:39 AM
|
|
Registered User
|
|
Join Date: Jan 2009
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Quote:
Originally Posted by jomet
Try with String.equals method
like
Code:
email.equals(emailconfirm)
returns true if matches
|
thanks a lot!
it works.
one question....
my code contains username and password for the database. it raises a doubt in my mind that it may be vulnerable to use them in code.
can i achieve same functionality without using username and password in jsp itself?
one more thing....
using :
Class.forName("com.mysql.jdbc.Driver").newInstance ();
create new connection(i think so, correct me if not), then will it be efficient?
i want the inserted data to validate the username and password provided by user to login. how can i do this?
regards
Last edited by anthony111; February 6th, 2009 at 03:35 PM..
Reason: completing query
|
|

February 6th, 2009, 04:41 PM
|
|
Friend of Wrox
|
|
Join Date: Jun 2008
Posts: 1,649
Thanks: 3
Thanked 141 Times in 140 Posts
|
|
Need to do *BOTH* comparisons that way, of course:
Code:
if(password.equals(passwordconfirm) && email.equals(emailconfirm) )
Regarding the username and password in code: You could move them to a config file, but the only way somebody is going to find them in your code is by hacking your site. And if they can hack your site to read the JSP code they can just as easily read the config file.
No, doing it this way isn't the most efficient. You'd want a connection pool and a Java bean and and and to get best efficiency. But unless people are logging into your site at the rate of hundreds every minute it's probably perfectly adequate.
|
|

February 9th, 2009, 05:39 AM
|
|
Registered User
|
|
Join Date: Feb 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
you need to break the code in such a way that your presentation layer (user-interface part) & DataBase part,
should be in different files itself. The former part in .jsp and the latter in .java files.
The good thing you have done is, instead of using normal Statements, you are using Prepared Statements
(though Callable would have been better).
As already been told, you have to put your DB login details in a config file and take the details from that.
NEVER reveal them in your JSP file, as JSP is only for "feel good" factor
And try to do some client-side validation (and server-side validation) checks also, for handling a good part of security.
|
|

February 9th, 2009, 08:01 PM
|
|
Friend of Wrox
|
|
Join Date: Jun 2008
Posts: 1,649
Thanks: 3
Thanked 141 Times in 140 Posts
|
|
Quote:
|
NEVER reveal them in your JSP file, as JSP is only for "feel good" factor
|
Could you explain why you believe that? How do you think that putting information into a JSP file is any less secure to than putting it in a config file?
Oh, I think it is better practice to put it in the config, but not because of security. I don't know any way somebody could "crack" your JSP code that wouldn't ALSO allow them to crack your config files.
|
|

February 10th, 2009, 01:48 AM
|
|
Registered User
|
|
Join Date: Feb 2009
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
I guess, its better to put the details in a config file, as it can be placed in a different path
and that can be accessed using java files, rather than using JSP.
A good amount of JSP data can be obtained from the "view source" itself.
That the reason why I refered to JSP less secure.
And validations will be essential, to handle the cross-site scripting kinda attacks.
Hey buddy, Correct me if I'm wrong ...
|
|

February 10th, 2009, 05:21 PM
|
|
Friend of Wrox
|
|
Join Date: Jun 2008
Posts: 1,649
Thanks: 3
Thanked 141 Times in 140 Posts
|
|
Can you show me an example page where (and I quote you) '...good amount of JSP data can be obtained from the "view source"...'??
*NOTHING* that appears in <%...%> tags should *EVER* show up in the VIEW==>>SOURCE unless, of course, it is purposely written to the browser with out.write( ). I honestly can't think of any exceptions. If you have one in mind, I'd love to see it.
Oh! Yes, I guess if you get an error on a page then possibly the error message might reveal stuff that should be hidden. But of course you should be carefully wrapping *ALL* code in try blocks to prevent that, no matter what.
|
|
 |