Solved

Simple Login problem

Posted on 2003-11-14
23
435 Views
Last Modified: 2010-04-01
Hi once again,

    The problem regards the login page....

1 - When I enter a new ID and wrong password, the "Main.jsp" page appears

2 - When I enter a wrong ID and new password, the "Main.jsp" page appears

3 - When I enter both wrong ID and password, the "Main.jsp" page appears

4 - When I enter both new ID and password, the "Login.jsp?error=bad" page appears. Why is it so? Everything is going in reverse. If I enter a wrong ID or password, then the "Login.jsp?error=bad" must appear

What's the solution... ???

<%
  PreparedStatement ps = con.prepareStatement("select * from customer where loginid = '" + request.getParameter("uid") + "' and password = '" + request.getParameter("pwd") + "'");
  ResultSet rs1 = ps.executeQuery();

  while(rs1.next())
  {
    if(request.getParameter("uid")!=null && request.getParameter("pwd")!=null)
    {
      if(rs1.getString("loginid").equals(request.getParameter("uid")) && rs1.getString("password").equals("pwd"))
      {
        out.println("Hello");
      }else{
        response.sendRedirect("Login.jsp?error=bad");
      }
    }
  }
%>
0
Comment
Question by:adnan_rais
  • 8
  • 8
  • 5
  • +1
23 Comments
 
LVL 1

Expert Comment

by:JNic
ID: 9748369
I am not sure why it does it in reverse, but I see some issues that we can fix.

1) Are you sure that your db-table customer contains the fields "loginid" and "password" ?
2) You are double checking at the moment. First you do a search in your db where you only ask for results that contains the entered loginid and the entered password. Then on these results you run another test for the same thing.

What about just doing like this:
<%
  PreparedStatement ps = con.prepareStatement("select * from customer where loginid = '" + request.getParameter("uid") + "' and password = '" + request.getParameter("pwd") + "'");
  ResultSet rs1 = ps.executeQuery();
if (rs1.next()){  // Here you just say: "If there exists any customers with the entered loginid/password comination then..."
  System.out.println("hello");
}
else{
   response.sendRedirect("Login.jsp?error=bad");
}
%>

Let me know, if it works :-)

Regards,

Nic
0
 
LVL 15

Expert Comment

by:jimmack
ID: 9748835
You say that you get the error when you enter a "new" login and password.  This implies that the record should not appear in the database.

JNic's solution should be used if you are attempting to identify if the uid and pwd already exist (though you might want to add the test for nulls:

<%
  if(request.getParameter("uid")!=null && request.getParameter("pwd")!=null)
  {
      // Include JNic's solution here
  }
  else
  {
    response.sendRedirect("Login.jsp?error=bad");
  }
%>

However, the way your question is worded implies that you want Main.jsp to appear only if a new uid/password combintation is entered.  Is that what you actually want?

Perhaps I can clarify that last question.

When you say "When I enter both new ID and password", do you mean that the ID and password are already in the database or not?
0
 
LVL 35

Expert Comment

by:TimYates
ID: 9748987
And

if(rs1.getString("loginid").equals(request.getParameter("uid")) && rs1.getString("password").equals("pwd"))

should be:

if(rs1.getString("loginid").equals(request.getParameter("uid")) && rs1.getString("password").equals(request.getParameter("pwd")))
0
 
LVL 15

Expert Comment

by:jimmack
ID: 9749172
Haha.  Missed that one ;-)
0
 
LVL 35

Expert Comment

by:TimYates
ID: 9749243
hee hee...

20 points doesn't split 3 ways either ;-)

I just couldn't resist :-)
0
 
LVL 1

Expert Comment

by:JNic
ID: 9749423
Good find! - Missed it too... ;-/
0
 

Author Comment

by:adnan_rais
ID: 9751047
JNic ur idea worked out but look a another big problem... the same problem that occurred in my last question.....

According to the following code

1 - if i enter wrong Transfering Account no but existing account no, the page works correctly by moving to Transfer.jsp with an error message

2 - If I enter a wrong Account no but existing Transfering Account no. the page once again works correctly by moving to Transfer.jsp with an error message

   but the main problem is that in case 2, it also updates the 'balance' field of the Transfering Account owner.... Although it shouldn't do like that.....Why is it so? Reply me immediately plz......

JNic, jimmack.... plz sort out the solution
I'm waiting for ur replies desperately

<%
  PreparedStatement ps = con.prepareStatement("select * from account where account_no = " + request.getParameter("acc_no") + " and loginid = '" + session.getAttribute("userID") + "'");
  ResultSet rs = ps.executeQuery();

  boolean insertTo = true;
  if(rs.next())
  {
    insertTo = true;
  }else{
    insertTo = false;
    response.sendRedirect("Transfer.jsp?error=bad&acc_no=" + request.getParameter("acc_no") + "&trans_acc_no=" + request.getParameter("trans_acc_no") + "&amt=" + request.getParameter("amt") + "&bank=" + request.getParameter("bank") + "");
  }

  PreparedStatement ps1 = con.prepareStatement("select * from account where account_no = " + request.getParameter("trans_acc_no") + " and branch_code = " + request.getParameter("bank") + "");
  ResultSet rs1 = ps1.executeQuery();

  if(rs1.next())
  {
    insertTo = true;
  }else{
    insertTo = false;
    response.sendRedirect("Transfer.jsp?ac=bad&acc_no=" + request.getParameter("acc_no") + "&trans_acc_no=" + request.getParameter("trans_acc_no") + "&amt=" + request.getParameter("amt") + "&bank=" + request.getParameter("bank") + "");
  }

  PreparedStatement ps2 = con.prepareStatement("select * from account where account_no = " + request.getParameter("acc_no") + " and loginid = '" + session.getAttribute("userID") + "'");
  ResultSet rs3 = ps2.executeQuery();

  int bal=0;
  while(rs3.next())
  {
    bal = rs3.getInt("balance");
    bal = bal - 2000;
    if(bal < Integer.parseInt(request.getParameter("amt")))
    {
      insertTo = false;
      out.println("<br><br>Hello " + session.getAttribute("userID") + "!");
      out.println("<br><br><br><br><font color=blue face=verdana size=3><b>Your balance is not sufficient to transfer the amount of " + request.getParameter("amt") + " /- Rs</b></font>");
    }
  }

    if(insertTo){
      int trans_bal=0;
      int bal1=0;
      int bal2 = 0;
      PreparedStatement ps3 = con.prepareStatement("select * from account where account_no = " + request.getParameter("trans_acc_no") + " and branch_code = " + request.getParameter("bank") + "");
      ResultSet rs4 = ps3.executeQuery();

      while(rs4.next())
      {
        insertTo = false;
        bal1 = rs4.getInt("balance");
      }
      trans_bal = bal1 + Integer.parseInt(request.getParameter("amt"));
      out.println("trans_add_bal: " + trans_bal);

      int remainingBal = 0;
      out.println("bal: " + (bal+2000));
      remainingBal = (bal+2000) - Integer.parseInt(request.getParameter("amt"));
      out.println("rem_bal: " + remainingBal);
      out.println("trans_bal: " + bal1);
      out.println("<br><br>Hello " + session.getAttribute("userID") + "!<br>");
      out.println("<br><br><br><br><font color=blue face=verdana size=3><b>Money transferred successfully</b></font><br>");
      out.println("<br><br>User Balance Before Transfer = <b>" + (bal+2000) + " /- Rs</b>");
      out.println("<br>Transferring Money = <b>" + request.getParameter("amt") + " /- Rs</b>");
      out.println("<br>Your remaining balance after Transferring Money = <b>" + (remainingBal) + " /- Rs</b>");

      Statement statement = con.createStatement();
      String strSQL = "Update account set balance = " + remainingBal + " where account_no = " + request.getParameter("acc_no") + " and loginid = '" + session.getAttribute("userID") + "'";
      statement.executeUpdate(strSQL);
      statement.close();

      Statement statement2 = con.createStatement();
      String strSQL1 = "Update account set balance = " + trans_bal + " where account_no = " + request.getParameter("trans_acc_no") + " and branch_code = " + request.getParameter("bank") + "";
      statement2.executeUpdate(strSQL1);
      statement2.close();
    }
%>
0
 
LVL 1

Expert Comment

by:JNic
ID: 9751308
In the very beginning (line four):

Change :  boolean insertTo = true;

to: boolean insertTo=false;

I think that is it. Otherwise let us know. - Btw. 20 points is certainly hard earned these days! ;-)

Regards,

Nic
0
 

Author Comment

by:adnan_rais
ID: 9751364
it still did the same, i.e. , updated the 'balance' field of Transfering Account No by adding the amount when the error for "Account No doesn't exist" appears in Transfer.jsp.... It is doing double action, adding the 'balance' field for Transfering Account No when almost all data is entered properly and when the account matching error occurs... What to do?
0
 

Author Comment

by:adnan_rais
ID: 9751477
did u giyz find any solution plz do reply as it's urgent
0
 
LVL 15

Expert Comment

by:jimmack
ID: 9751552
You're using:

while (rs3.next()) again instead of an if.  I don't think the loop is necessary and may be causing problems.

Similarly you have while(rs4.next())

Also, within the while(rs4.next()) loop, you set insertTo to false, but it is not tested again after that.

Your prepared statements ps and ps2 are the same.

I'm working on restructuring the code.  Expect it within the next 10 minutes.  Make a backup of your existing code now, just in case the new version contains mistakes!
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 15

Assisted Solution

by:jimmack
jimmack earned 20 total points
ID: 9751583
Ok, replace the code you've shown above with the following.  It's now all in nested "if"s, which isn't particularly nice to look at, but I think the logic flows a bit better.

With the size of this code, you should give serious consideration to creating some separate methods to do some of these bits.

Remember.  I told you to back up your existing code before replacing it with the following!

<%
        PreparedStatement ps = con.prepareStatement("select * from account where account_no = " +
                request.getParameter("acc_no") +
                " and loginid = '" +
                session.getAttribute("userID") +
                "'");
               
        PreparedStatement ps1 = con.prepareStatement("select * from account where account_no = " +
                request.getParameter("trans_acc_no") +
                " and branch_code = " +
                request.getParameter("bank") +
                "");

        ResultSet rs = ps.executeQuery();

        if (rs.next())  // Valid user found in database
        {
            ResultSet rs1 = ps1.executeQuery();
   
            if (rs1.next())  // Transaction account found
            {
                ResultSet rs3 = ps.executeQuery();
       
                int bal = 0;
                if (rs3.next())  // Valid user found (again!) in database
                {
                    bal = rs3.getInt("balance");
                    bal = bal - 2000;
                    if (bal < Integer.parseInt(request.getParameter("amt")))  // Not enough balance for transfer
                    {
                        out.println("<br><br>Hello " + session.getAttribute("userID") + "!");
                        out.println("<br><br><br><br><font color=blue face=verdana size=3><b>Your balance is not sufficient to transfer the amount of " +
                                request.getParameter("amt") +
                                " /- Rs</b></font>");
                    }
                    else // Balance contains enough for transfer
                    {
                        int trans_bal = 0;
                        int bal1 = 0;
                        int bal2 = 0;
                        ResultSet rs4 = ps1.executeQuery();
           
                        if(rs4.next())  // Transaction account details found (again!)
                        {
                            bal1 = rs4.getInt("balance");
                            trans_bal = bal1 + Integer.parseInt(request.getParameter("amt"));
                            out.println("trans_add_bal: " + trans_bal);
               
                            int remainingBal = 0;
                            out.println("bal: " + (bal + 2000));
                            remainingBal = (bal + 2000) - Integer.parseInt(request.getParameter("amt"));
                            out.println("rem_bal: " + remainingBal);
                            out.println("trans_bal: " + bal1);
                            out.println("<br><br>Hello " + session.getAttribute("userID") + "!<br>");
                            out.println("<br><br><br><br><font color=blue face=verdana size=3><b>Money transferred successfully</b></font><br>");
                            out.println("<br><br>User Balance Before Transfer = <b>" + (bal + 2000) + " /- Rs</b>");
                            out.println("<br>Transferring Money = <b>" + request.getParameter("amt") + " /- Rs</b>");
                            out.println("<br>Your remaining balance after Transferring Money = <b>" + (remainingBal) + " /- Rs</b>");
               
                            Statement statement = con.createStatement();
                            String strSQL = "Update account set balance = " + remainingBal + " where account_no = " + request.getParameter("acc_no") + " and loginid = '" + session.getAttribute("userID") + "'";
                            statement.executeUpdate(strSQL);
                            statement.close();
               
                            Statement statement2 = con.createStatement();
                            String strSQL1 = "Update account set balance = " + trans_bal + " where account_no = " + request.getParameter("trans_acc_no") + " and branch_code = " + request.getParameter("bank") + "";
                            statement2.executeUpdate(strSQL1);
                            statement2.close();
                        }
                    }
                }
            }
            else
            {
                response.sendRedirect("Transfer.jsp?ac=bad&acc_no=" +
                        request.getParameter("acc_no") +
                        "&trans_acc_no=" +
                        request.getParameter("trans_acc_no") +
                        "&amt=" +
                        request.getParameter("amt") +
                        "&bank=" +
                        request.getParameter("bank") +
                        "");
            }
        }
        else
        {
            response.sendRedirect("Transfer.jsp?error=bad&acc_no=" +
                    request.getParameter("acc_no") +
                    "&trans_acc_no=" +
                    request.getParameter("trans_acc_no") +
                    "&amt=" + request.getParameter("amt") +
                    "&bank=" + request.getParameter("bank") +
                    "");
        }
%>
0
 

Author Comment

by:adnan_rais
ID: 9751584
ok
0
 

Author Comment

by:adnan_rais
ID: 9751596
just wait
0
 
LVL 15

Expert Comment

by:jimmack
ID: 9751603
I can't believe I'm doing all this for just 20 points (JNic too) ;-)
0
 

Author Comment

by:adnan_rais
ID: 9751651
Thanx ur code worked
0
 
LVL 15

Expert Comment

by:jimmack
ID: 9751688
Have you got 20 points to spare so that you can increase the points to 40 and split it between JNic and myself?
0
 
LVL 1

Accepted Solution

by:
JNic earned 20 total points
ID: 9752076
Thanks jimmack :-)

Adnan_rais, if I may, I will give you a few advices:

1) You should be careful not to work with too large parts of code that you dont understand fully. This is a mistake I have often made myself, and the result is very often, that it is hard to ask the right questions.
Instead of just replacing your code with complete solutions, try to be harder on yourself and really make sure that you can justify every part of the code.

2) If you know, that your code is going a certain place (fx to your response.sendRedirects) but do not understand why it behaves in a certain manner, it helps to print out as much debugging as you can. Fx. Print out the revelant db-reads, the relevant request-parameter-reads, print out results of branches in the code.

Heres a small example of what you could do if you are in trouble (its just a random snip of jimmacks code):

if (rs.next())  // Valid user found in database
        {
            System.out.println("Valid user found");  // added by Nic
            ResultSet rs1 = ps1.executeQuery();
   
            if (rs1.next())  // Transaction account found
            {
                System.out.println("Transaction account found"); // added by Nic
                ResultSet rs3 = ps.executeQuery();
       
                int bal = 0;
                if (rs3.next())  // Valid user found (again!) in database
                {
                    System.out.println("Valid user found - yes again"); // added by Nic
                    bal = rs3.getInt("balance");

And so on....

3) make good comments (like jimmack did) in the code. It helps you to remember what happens.

4) NEVER feel ashamed of asking questions. - We all have holes in our knowledge! (Maybe except kennethxu ;-D)

Good luck in your future work!

Regards,

Nic
0
 

Author Comment

by:adnan_rais
ID: 9756561
Just a little more problem to ask.....

In the database, the 'trans_date' field(datatype is Date/Time) contains the following dates for the 'account_no' 3....

11/15/03
11/15/03
11/15/03
11/16/03
11/17/03
11/18/03

if I enter 11/15/03 as start date, and 11/20/03 as end date.... the program doesn't go to the next page but redirects to Transaction.jsp with an error showing "End Date is incorrect".... I'm sorry for posting the code once again..... JNic thanx for ur suggestions but what should I do if I can't get it then

//TransAct.jsp
<%
  String sdate = request.getParameter("month") + "/" + request.getParameter("day") + "/" + request.getParameter("year");
  String edate = request.getParameter("month1") + "/" + request.getParameter("day1") + "/" + request.getParameter("year1");

  out.println(sdate + "<br>" + edate);
  PreparedStatement ps = con.prepareStatement("select * from transaction1 where account_no = " + request.getParameter("acc_no") + " and trans_date >= " + sdate + "");

  PreparedStatement ps1 = con.prepareStatement("select * from transaction1 where account_no = " + request.getParameter("acc_no") + " and trans_date <= " + edate + "");

  PreparedStatement ps2 = con.prepareStatement("select * from account where account_no = " + request.getParameter("acc_no") + " and loginid = '" + session.getAttribute("userID") + "'");

  PreparedStatement ps3 = con.prepareStatement("select * from transaction1 where account_no = " + request.getParameter("acc_no") + " and trans_date >= " + sdate + " and trans_date <= " + edate + "");

  ResultSet rs = ps.executeQuery();
  if(rs.next())
  {
    ResultSet rs1 = ps1.executeQuery();
    if(rs1.next())
    {
      ResultSet rs2 = ps2.executeQuery();
      if(rs2.next())
      {
        ResultSet rs3 = ps3.executeQuery();

        if(rs3.next())
        {
          out.println("<tr bgcolor=whitesmoke>");
          out.println("<td align=right>" + rs3.getInt("transaction_id") + "</td>");
          out.println("<td>" + rs3.getDate("trans_date") + "</td>");
          out.println("<td align=right>" + rs3.getInt("debit") + "</td>");
          out.println("<td align=right>" + rs3.getInt("credit") + "</td>");
          out.println("<td align=right>" + rs3.getInt("transaction_account_no") + "</td>");
          out.println("</tr>");
        }
      }else{
        response.sendRedirect("Transaction.jsp?login=bad&month=" + request.getParameter("month") + "&day=" + request.getParameter("day") + "&year=" + request.getParameter("year") + "&month1=" + request.getParameter("month1") + "&day1=" + request.getParameter("day1") + "&year1=" + request.getParameter("year1") + "&acc_no=" + request.getParameter("acc_no") + "");
      }
    }else{
      response.sendRedirect("Transaction.jsp?edate=bad&month=" + request.getParameter("month") + "&day=" + request.getParameter("day") + "&year=" + request.getParameter("year") + "&month1=" + request.getParameter("month1") + "&day1=" + request.getParameter("day1") + "&year1=" + request.getParameter("year1") + "&acc_no=" + request.getParameter("acc_no") + "");
    }
  }else{
    response.sendRedirect("Transaction.jsp?sdate=bad&month=" + request.getParameter("month") + "&day=" + request.getParameter("day") + "&year=" + request.getParameter("year") + "&month1=" + request.getParameter("month1") + "&day1=" + request.getParameter("day1") + "&year1=" + request.getParameter("year1") + "&acc_no=" + request.getParameter("acc_no") + "");
  }
%>

//Here is the error catching code in Transaction.jsp
<%
  String err = request.getParameter("login");
  String err1 = request.getParameter("edate");
  String err2 = request.getParameter("sdate");
  if( err != null )
  {
    out.println("<tr><td align=middle colspan=2><b><font color=red size=3>Account # doesn't exist</font></b></td></tr>");
  }else if( err1 != null )
  {
    out.println("<tr><td align=middle colspan=2><b><font color=red size=3>End Date is incorrect</font></b></td></tr>");
   }else if( err2 != null )
  {
    out.println("<tr><td align=middle colspan=2><b><font color=red size=3>Start Date is incorrect</font></b></td></tr>");
  }
%>

Do let me know what to do n sorry for disturbing many more times
0
 

Author Comment

by:adnan_rais
ID: 9756594
if I enter a wrong account no, then "Start Date is incorrect" error is displayed although account_no error must b shown
0
 
LVL 15

Expert Comment

by:jimmack
ID: 9756799
adnan_rais, I'm sorry, but I think that JNic and I have already done more than enough for your original question.  This one should definitely be posted as a different question.
0
 
LVL 1

Expert Comment

by:JNic
ID: 9756847
I have to say that I agree with jimmack....  
Note the question guidelines (for ONE question):

This question is urgent or extremely difficult (500 points)
This question is important or difficult (250 points)
This question is not important and moderately difficult (125 points)
This question is not important and easy (50 points)

0
 
LVL 15

Expert Comment

by:jimmack
ID: 9757020
Thanx ;-)
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now