Search code examples
javamysqljspservletsnetbeans-7

How to compare two input Strings from mysql database table record.?

This code has an insert record in mysql table, but I want to compare jsp/html textboxes String with mysql column which is already existed like a login. This is page to login

Two things I have know

  1. To change mysql query
  2. Compare input string with mysql column data How can I do this?

NewServlet.java

         public class NewServlet1 extends HttpServlet {
         protected void processRequest(HttpServletRequest request, HttpServletResponse response)
         throws ServletException, IOException {
         response.setContentType("text/html;charset=UTF-8");
         PrintWriter out = response.getWriter();

        String name=request.getParameter("username");
        String abc=request.getParameter("password");

        aaaa c1=new aaaa();

        try{

          String Sql="Select * from login where username='"+name+"' AND password='"+abc+"'";

          c1.st.executeUpdate(Sql);   
        }
         catch(SQLException ex)
         {

         out.println(ex);

         }

         try {

        out.println("<html>");
        out.println("<head>");
        out.println("<title>Servlet NewServlet1</title>");            
        out.println("</head>");
        out.println("<body>");
        out.println("<h1>Servlet NewServlet1 at " + request.getContextPath() + "</h1>");
        out.println("</body>");
        out.println("</html>");
    } finally {            
        out.close();
     }
   }

aaaa.java//comment this class is for database connection//

            public class aaaa {

            Connection c1 = null;
            Statement st = null;
            ResultSet rs = null;
            aaaa(){
            try {
            Class.forName("com.mysql.jdbc.Driver");
            c1 = (Connection) DriverManager.getConnection("jdbc:mysql://localhost:3306/teacher","root", "abcde");

            } 
            catch (Exception cnfe) {
               System.out.println("Couldn't find the driver!");
               System.out.println("Couldn't connect: print out a stack trace and exit.");
               System.out.println("We got an exception while creating a statement:" + "that probably means we're no longer connected.");
               }
            try {
                st = (Statement) c1.createStatement();
                System.out.println("Statement Created Successfully");
              } catch (SQLException se) {
                System.out.println("We got an exception while creating a statement:" + "that probably means we're no longer connected.");
                se.printStackTrace();
            }
            if (c1 != null) {
               System. out.println("Hooray! We connected to the database!");
            } else {
                System.out.println("We should never get here.");
             }
           }
        }
Solution

  • Your sql string code:

    String Sql="Select * from login where username='"+name+"' AND password='"+abc+"'";

    is vulnerable to sql injection. Suppose a user inputted something like a username that exists in your database followed by the comment character for the username, the application will authorize the user, so you are vulnerable. Some crazy hackers could even delete your login table with the same technique and your application will be down.

    **Remedy for sql injection: ** Use prepared statements to parse your inputs. See: How to use prepared statement for select query in Java?

    Now coming to the answer to your question, you can pass the user input to the query (with prepared statement) and check if a result exists from using the result set has next function (something like that!); if it does then authorize the user else do nothing.