Re: Malfunctioning of JSP application

---

• From: Lew <lew@xxxxxxxxxxxxxxxxxxxx>
• Date: Sat, 24 Feb 2007 00:38:23 -0500

---

"Sameer" wrote:

A JSP application accepts username and password from user.
Username and Passwords are stored in a Oracle database.
It connects to the database and validated username using the passwords
from database.
A user-id is also retrieved from the database and it is being put in a
session variable.
session.putValue("m_use_id", new Integer(m_use_id));
This user id is being used for further operations in the application.

Sometimes it happens that when the user logs into the application
using his username and password he get logged in as the username
having the user-id =1 automatically.

What does "user-id =1" mean?

I have checked the code of application and find nothing wrong with the
code for this malfunction.
Can session variable values are being altered in the memory or any
other reason for this malfunctioning?

Any experiences like this?
Any guesses for this malfunctioning?

I.
Problem number one: instance variables in a JSP.

<%!

String mquery;
Statement stmt;
Connection con;
ResultSet rs;

%>

You rarely, if ever, should declare instance variables in a JSP. They can be shared between people in different sessions and they never know it.

GIYF: Java thread safety.

II.
Problem number two: Fragile SQL statements that can be hacked using SQL injection, intentionally or accidentally. Someone could read your entire database with well-known hacks on code like

mquery = "select M_USE_ID, M_PRO_ID from M_USER where M_USE_LOG='"+login+"' and M_USE_PAS='"+password+"'";

All someone has to do is enter a login name of "a' OR 1=1 --" to get in.

Tsk, tsk.

III.
Problem number three, but probably not related to the problem you are seeing:

System.out.println(mquery);

System.out is the console. What do you call the "console" in a Web app? Far better to use logging calls.

IV.
Problem number four: So much scriptlet in a JSP! Write Java in .java files, not .jsp files. Write JSP in JSP files. This is related in the sense that it increases the likelihood of bugs like yours, and makes it much harder to fix them.

- Lew
.

---

• References:
  • Malfunctioning of JSP application
    • From: Sameer
  • Re: Malfunctioning of JSP application
    • From: impaler

• Prev by Date: Re: Regular Expression help please!
• Next by Date: Re: Regular Expression help please!
• Previous by thread: Re: Malfunctioning of JSP application
• Next by thread: Jdb: problem determining free memory
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Pathname to access and usernames in shortcut ... >> network drive (for maintenance reasons initially, ... >> using usernames but no passwords. ... change their passwords within the access database (they won't know how ... >> gets the current username from the system and then calls access (via the ... (microsoft.public.access.security) Re: php inserts into DB ... database...the only problem is that it doesn't put anything in the database. ... // checks if the username is in use ... die('Your passwords did not match. ... terminate the string and concatenate the variable, or use sprintf to format the string correctly. ... (comp.lang.php) Re: php inserts into DB ... database...the only problem is that it doesn't put anything in the database. ... // checks if the username is in use ... die('Your passwords did not match. ... (comp.lang.php) Re: Malfunctioning of JSP application ... Username and Passwords are stored in a Oracle database. ... having the user-id =1 automatically. ... (comp.lang.java.programmer) Re: Malfunctioning of JSP application ... Username and Passwords are stored in a Oracle database. ... having the user-id =1 automatically. ... (comp.lang.java.programmer)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)