Chris, you identified a possible sql injection in my code and declaring it a
very bad piece of code. Despite the fact that jdbc does not allow more than 1
query on this execute function and I am doing fields validation before
submission of the form.
Is there another genuine threat or bug that you identified and would like to
share? Please do, I am sharing the udac source code as well,
Wesley you comments are also welcome; somebody also asked that what will happen
in case udac.login throws an exception, well exception handling is inside this
class. Sorry but i missed that email so i am unable to name that gentleman
friend.
package org.mcb.services;
import java.text.*;
import java.util.*;
import java.sql.*;
import javax.servlet.http.HttpSession;
public class udac
{
static Connection currentCon = null;
static ResultSet rs = null;
public static userbean login(userbean bean) {
//preparing some objects for connection
Statement stmt = null;
String userid = bean.getUserId();
String password = bean.getPassword();
String epass = null;
String name = null;
String user_id = null;
String role_id = null;
String branch_code = null;
String last_login = null;
String role_desc = null;
try{
epass = passwordservices.getInstance().encrypt(password);
//passwordservices is a class which has functions to ecrypt a
string and return back the string.
}catch(Exception e){
System.out.println(e);
}
String searchQuery = "SELECT a.USER_ID,a.NAME, a.BRANCH_CODE,
a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM LOGIN_INFORMATION a,
ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID ";
searchQuery = searchQuery + "AND LOWER(a.USER_ID) = LOWER('"+
userid
+ "') AND a.PASSWORD = '"+epass+"'";
try{
//connect to DB: connectionmanager is a class which contains
connection functions
currentCon = connectionmanager.scgm_conn();
stmt=currentCon.createStatement();
rs = stmt.executeQuery(searchQuery);
boolean hasdata=false;
while(rs.next()) {
hasdata=true;
name = rs.getString("NAME");
user_id = rs.getString("USER_ID");
branch_code = rs.getString("BRANCH_CODE");
role_id = rs.getString("ROLE_ID");
last_login = rs.getString("LAST_LOGIN_DATE");
role_desc = rs.getString("ROLE_DESC");
bean.setName(name);
bean.setUserId(user_id);
bean.setBranch(branch_code);
bean.setRole(role_id);
bean.setLastLogin(last_login);
bean.setRoleDesc(role_desc);
bean.setValid(true);
}
if(!hasdata) {
System.out.println("Sorry, you are not a registered user!
Please sign up first "+ searchQuery);
bean.setValid(false);
}
}catch (Exception ex){
System.out.println("Log In failed: An Exception has occurred! " +
ex);
}
//some exception handling
finally{
if (rs != null) {
try {
rs.close();
} catch (Exception e) {}
rs = null;
}
if (stmt != null) {
try {
stmt.close();
} catch (Exception e) {}
stmt = null;
}
if (currentCon != null) {
try {
currentCon.close();
} catch (Exception e) {
}
currentCon = null;
}
}
return bean;
}
}
ysk
-----Original Message-----
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Friday, August 20, 2010 3:43 AM
To: Tomcat Users List
Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Wesley,
On 8/19/2010 5:04 PM, Wesley Acheson wrote:
> Maybe its just be but I still don't see where uadc is declared or even
> imported.
...or even used.
I'm guessing that the bad code exists outside of this login servlet.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkxts1YACgkQ9CaO5/Lv0PBitwCeMXvEXLi1L9rnLmTVP4nofIGH
NkAAnj9DTqFLwLAYxb2MQuI6v6ckVcYm
=DR0I
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
