Thanks a great idea Celeste.
Another approach may be to do the password comparison outside the database.
So you say.. SELECT password FROM users WHERE username="user";
And then do a password.equals("enteredpassword");
-Tim
-----Original Message-----
From: Haseltine, Celeste [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 15, 2001 2:06 PM
To: [EMAIL PROTECTED]
Subject: Re: Login Authentication against database...
Joe,
When my user's log-in, I capture their username and compare that name to
those I have in an XML table on the server. If the name exists in the XML
table, and is still classified as Active, I then make a connection to my
database, and verify the password, along with obtaining other info I need
for access into different areas of our site. Every time a new user is added
to the database, I run a script that updates my XML file on the server. The
XML table is located in a different directory on our site than the actual
JSP/HTML pages, and has limited information. Therefore, if someone did get
their hands on it, they still could not log into our site.
This allows me to do a "first verification" of the user, and then rejecting
the user if appropriate, without even opening a connection or pulling a
thread from the connection pool to my database. I have one JSP that
verifies the user exists in the XML table, before either handing off the
user to another JSP for verification against the database, or redirection to
a login error page.
Celeste
-----Original Message-----
From: Joe Cheng [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 15, 2001 11:33 AM
To: [EMAIL PROTECTED]
Subject: Re: Login Authentication against database...
Celeste,
what's a "more secure" means? now you've got me curious.
and Bob wasn't pointing out a loophole, just calling attention to the
non-escaped values in the SQL statement below.
-jmc
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://archives.java.sun.com/jsp-interest.html
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.jsp
http://www.jguru.com/faq/index.jsp
http://www.jspinsider.com
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://archives.java.sun.com/jsp-interest.html
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.jsp
http://www.jguru.com/faq/index.jsp
http://www.jspinsider.com
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://archives.java.sun.com/jsp-interest.html
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.jsp
http://www.jguru.com/faq/index.jsp
http://www.jspinsider.com
