Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > Malfunctioning of JSP application

Reply
Thread Tools

Malfunctioning of JSP application

 
 
Sameer
Guest
Posts: n/a
 
      02-23-2007
A JSP application accepts username and password from user.
Username and Passwords are stored in a Oracle database.
It connects to the database and validated username using the passwords
from database.
A user-id is also retrieved from the database and it is being put in a
session variable.
session.putValue("m_use_id", new Integer(m_use_id));
This user id is being used for further operations in the application.

Sometimes it happens that when the user logs into the application
using his username and password he get logged in as the username
having the user-id =1 automatically.

I have checked the code of application and find nothing wrong with the
code for this malfunction.
Can session variable values are being altered in the memory or any
other reason for this malfunctioning?

Any experiences like this?
Any guesses for this malfunctioning?

-Sameer

 
Reply With Quote
 
 
 
 
impaler
Guest
Posts: n/a
 
      02-23-2007
On Feb 23, 8:45 am, "Sameer" <(E-Mail Removed)> wrote:
> A JSP application accepts username and password from user.
> Username and Passwords are stored in a Oracle database.
> It connects to the database and validated username using the passwords
> from database.
> A user-id is also retrieved from the database and it is being put in a
> session variable.
> session.putValue("m_use_id", new Integer(m_use_id));
> This user id is being used for further operations in the application.
>
> Sometimes it happens that when the user logs into the application
> using his username and password he get logged in as the username
> having the user-id =1 automatically.
>
> I have checked the code of application and find nothing wrong with the
> code for this malfunction.
> Can session variable values are being altered in the memory or any
> other reason for this malfunctioning?
>
> Any experiences like this?
> Any guesses for this malfunctioning?
>
> -Sameer



Some code would be helpful. My guess is that something in the code is
wrong.

 
Reply With Quote
 
 
 
 
Sameer
Guest
Posts: n/a
 
      02-24-2007
On Feb 23, 2:59 pm, "impaler" <(E-Mail Removed)> wrote:
> On Feb 23, 8:45 am, "Sameer" <(E-Mail Removed)> wrote:
>
>
>
> > A JSP application accepts username and password from user.
> > Username and Passwords are stored in a Oracle database.
> > It connects to the database and validated username using the passwords
> > from database.
> > A user-id is also retrieved from the database and it is being put in a
> > session variable.
> > session.putValue("m_use_id", new Integer(m_use_id));
> > This user id is being used for further operations in the application.

>
> > Sometimes it happens that when the user logs into the application
> > using his username and password he get logged in as the username
> > having the user-id =1 automatically.

>
> > I have checked the code of application and find nothing wrong with the
> > code for this malfunction.
> > Can session variable values are being altered in the memory or any
> > other reason for this malfunctioning?

>
> > Any experiences like this?
> > Any guesses for this malfunctioning?

>
> > -Sameer

>
> Some code would be helpful. My guess is that something in the code is
> wrong.


Thanks for your post.
Please see the google docs for the code (mainmenu.jsp).

http://docs.google.com/Doc?id=dhntd3vh_2gj2mgn

Do revert back.

Thanks in advance.

-Sameer


 
Reply With Quote
 
Lew
Guest
Posts: n/a
 
      02-24-2007
"Sameer" wrote:
>> A JSP application accepts username and password from user.
>> Username and Passwords are stored in a Oracle database.
>> It connects to the database and validated username using the passwords
>> from database.
>> A user-id is also retrieved from the database and it is being put in a
>> session variable.
>> session.putValue("m_use_id", new Integer(m_use_id));
>> This user id is being used for further operations in the application.
>>
>> Sometimes it happens that when the user logs into the application
>> using his username and password he get logged in as the username
>> having the user-id =1 automatically.


What does "user-id =1" mean?

>> I have checked the code of application and find nothing wrong with the
>> code for this malfunction.
>> Can session variable values are being altered in the memory or any
>> other reason for this malfunctioning?
>>
>> Any experiences like this?
>> Any guesses for this malfunctioning?


I.
Problem number one: instance variables in a JSP.

> <%!
>
> String mquery;
> Statement stmt;
> Connection con;
> ResultSet rs;
>
> %>


You rarely, if ever, should declare instance variables in a JSP. They can be
shared between people in different sessions and they never know it.

GIYF: Java thread safety.

II.
Problem number two: Fragile SQL statements that can be hacked using SQL
injection, intentionally or accidentally. Someone could read your entire
database with well-known hacks on code like

> mquery = "select M_USE_ID, M_PRO_ID from M_USER
> where M_USE_LOG='"+login+"' and M_USE_PAS='"+password+"'";


All someone has to do is enter a login name of "a' OR 1=1 --" to get in.

Tsk, tsk.

III.
Problem number three, but probably not related to the problem you are seeing:

> System.out.println(mquery);


System.out is the console. What do you call the "console" in a Web app? Far
better to use logging calls.

IV.
Problem number four: So much scriptlet in a JSP! Write Java in .java files,
not .jsp files. Write JSP in JSP files. This is related in the sense that it
increases the likelihood of bugs like yours, and makes it much harder to fix them.

- Lew
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Wireless network will not enable - device malfunctioning =?Utf-8?B?RGl2YWZldmE=?= Wireless Networking 4 03-30-2010 07:22 PM
Mysterious malfunctioning menus with a new router!! John ASP .Net 0 03-03-2006 10:00 PM
HDD malfunctioning on my OS XP Pro x64bit after taking it out t Windows 64bit 15 02-24-2006 12:55 PM
Malfunctioning LCD Screen Scott Digital Photography 14 03-09-2005 02:54 AM
OE6 malfunctioning pDik66 Computer Support 3 01-30-2004 02:04 PM



Advertisments