Chris, you identified a possible sql injection in my code and declaring it a very bad piece of code. Despite the fact that jdbc does not allow more than 1 query on this execute function and I am doing fields validation before submission of the form.
Is there another genuine threat or bug that you identified and would like to share? Please do, I am sharing the udac source code as well, Wesley you comments are also welcome; somebody also asked that what will happen in case udac.login throws an exception, well exception handling is inside this class. Sorry but i missed that email so i am unable to name that gentleman friend. package org.mcb.services; import java.text.*; import java.util.*; import java.sql.*; import javax.servlet.http.HttpSession; public class udac { static Connection currentCon = null; static ResultSet rs = null; public static userbean login(userbean bean) { //preparing some objects for connection Statement stmt = null; String userid = bean.getUserId(); String password = bean.getPassword(); String epass = null; String name = null; String user_id = null; String role_id = null; String branch_code = null; String last_login = null; String role_desc = null; try{ epass = passwordservices.getInstance().encrypt(password); //passwordservices is a class which has functions to ecrypt a string and return back the string. }catch(Exception e){ System.out.println(e); } String searchQuery = "SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a, ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID "; searchQuery = searchQuery + "AND LOWER(a.USER_ID) = LOWER('"+ userid + "') AND a.PASSWORD = '"+epass+"'"; try{ //connect to DB: connectionmanager is a class which contains connection functions currentCon = connectionmanager.scgm_conn(); stmt=currentCon.createStatement(); rs = stmt.executeQuery(searchQuery); boolean hasdata=false; while(rs.next()) { hasdata=true; name = rs.getString("NAME"); user_id = rs.getString("USER_ID"); branch_code = rs.getString("BRANCH_CODE"); role_id = rs.getString("ROLE_ID"); last_login = rs.getString("LAST_LOGIN_DATE"); role_desc = rs.getString("ROLE_DESC"); bean.setName(name); bean.setUserId(user_id); bean.setBranch(branch_code); bean.setRole(role_id); bean.setLastLogin(last_login); bean.setRoleDesc(role_desc); bean.setValid(true); } if(!hasdata) { System.out.println("Sorry, you are not a registered user! Please sign up first "+ searchQuery); bean.setValid(false); } }catch (Exception ex){ System.out.println("Log In failed: An Exception has occurred! " + ex); } //some exception handling finally{ if (rs != null) { try { rs.close(); } catch (Exception e) {} rs = null; } if (stmt != null) { try { stmt.close(); } catch (Exception e) {} stmt = null; } if (currentCon != null) { try { currentCon.close(); } catch (Exception e) { } currentCon = null; } } return bean; } } ysk -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Friday, August 20, 2010 3:43 AM To: Tomcat Users List Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Wesley, On 8/19/2010 5:04 PM, Wesley Acheson wrote: > Maybe its just be but I still don't see where uadc is declared or even > imported. ...or even used. I'm guessing that the bad code exists outside of this login servlet. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxts1YACgkQ9CaO5/Lv0PBitwCeMXvEXLi1L9rnLmTVP4nofIGH NkAAnj9DTqFLwLAYxb2MQuI6v6ckVcYm =DR0I -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org