Joe, When my user's log-in, I capture their username and compare that name to those I have in an XML table on the server. If the name exists in the XML table, and is still classified as Active, I then make a connection to my database, and verify the password, along with obtaining other info I need for access into different areas of our site. Every time a new user is added to the database, I run a script that updates my XML file on the server. The XML table is located in a different directory on our site than the actual JSP/HTML pages, and has limited information. Therefore, if someone did get their hands on it, they still could not log into our site.
This allows me to do a "first verification" of the user, and then rejecting the user if appropriate, without even opening a connection or pulling a thread from the connection pool to my database. I have one JSP that verifies the user exists in the XML table, before either handing off the user to another JSP for verification against the database, or redirection to a login error page. Celeste -----Original Message----- From: Joe Cheng [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 11:33 AM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... Celeste, what's a "more secure" means? now you've got me curious. and Bob wasn't pointing out a loophole, just calling attention to the non-escaped values in the SQL statement below. -jmc =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
