Malfunctioning of JSP application

Discussion in 'Java' started by Sameer, Feb 23, 2007.

  1. Sameer

    Sameer Guest

    A JSP application accepts username and password from user.
    Username and Passwords are stored in a Oracle database.
    It connects to the database and validated username using the passwords
    from database.
    A user-id is also retrieved from the database and it is being put in a
    session variable.
    session.putValue("m_use_id", new Integer(m_use_id));
    This user id is being used for further operations in the application.

    Sometimes it happens that when the user logs into the application
    using his username and password he get logged in as the username
    having the user-id =1 automatically.

    I have checked the code of application and find nothing wrong with the
    code for this malfunction.
    Can session variable values are being altered in the memory or any
    other reason for this malfunctioning?

    Any experiences like this?
    Any guesses for this malfunctioning?

    -Sameer
     
    Sameer, Feb 23, 2007
    #1
    1. Advertising

  2. Sameer

    impaler Guest

    On Feb 23, 8:45 am, "Sameer" <> wrote:
    > A JSP application accepts username and password from user.
    > Username and Passwords are stored in a Oracle database.
    > It connects to the database and validated username using the passwords
    > from database.
    > A user-id is also retrieved from the database and it is being put in a
    > session variable.
    > session.putValue("m_use_id", new Integer(m_use_id));
    > This user id is being used for further operations in the application.
    >
    > Sometimes it happens that when the user logs into the application
    > using his username and password he get logged in as the username
    > having the user-id =1 automatically.
    >
    > I have checked the code of application and find nothing wrong with the
    > code for this malfunction.
    > Can session variable values are being altered in the memory or any
    > other reason for this malfunctioning?
    >
    > Any experiences like this?
    > Any guesses for this malfunctioning?
    >
    > -Sameer



    Some code would be helpful. My guess is that something in the code is
    wrong.
     
    impaler, Feb 23, 2007
    #2
    1. Advertising

  3. Sameer

    Sameer Guest

    On Feb 23, 2:59 pm, "impaler" <> wrote:
    > On Feb 23, 8:45 am, "Sameer" <> wrote:
    >
    >
    >
    > > A JSP application accepts username and password from user.
    > > Username and Passwords are stored in a Oracle database.
    > > It connects to the database and validated username using the passwords
    > > from database.
    > > A user-id is also retrieved from the database and it is being put in a
    > > session variable.
    > > session.putValue("m_use_id", new Integer(m_use_id));
    > > This user id is being used for further operations in the application.

    >
    > > Sometimes it happens that when the user logs into the application
    > > using his username and password he get logged in as the username
    > > having the user-id =1 automatically.

    >
    > > I have checked the code of application and find nothing wrong with the
    > > code for this malfunction.
    > > Can session variable values are being altered in the memory or any
    > > other reason for this malfunctioning?

    >
    > > Any experiences like this?
    > > Any guesses for this malfunctioning?

    >
    > > -Sameer

    >
    > Some code would be helpful. My guess is that something in the code is
    > wrong.


    Thanks for your post.
    Please see the google docs for the code (mainmenu.jsp).

    http://docs.google.com/Doc?id=dhntd3vh_2gj2mgn

    Do revert back.

    Thanks in advance.

    -Sameer
     
    Sameer, Feb 24, 2007
    #3
  4. Sameer

    Lew Guest

    "Sameer" wrote:
    >> A JSP application accepts username and password from user.
    >> Username and Passwords are stored in a Oracle database.
    >> It connects to the database and validated username using the passwords
    >> from database.
    >> A user-id is also retrieved from the database and it is being put in a
    >> session variable.
    >> session.putValue("m_use_id", new Integer(m_use_id));
    >> This user id is being used for further operations in the application.
    >>
    >> Sometimes it happens that when the user logs into the application
    >> using his username and password he get logged in as the username
    >> having the user-id =1 automatically.


    What does "user-id =1" mean?

    >> I have checked the code of application and find nothing wrong with the
    >> code for this malfunction.
    >> Can session variable values are being altered in the memory or any
    >> other reason for this malfunctioning?
    >>
    >> Any experiences like this?
    >> Any guesses for this malfunctioning?


    I.
    Problem number one: instance variables in a JSP.

    > <%!
    >
    > String mquery;
    > Statement stmt;
    > Connection con;
    > ResultSet rs;
    >
    > %>


    You rarely, if ever, should declare instance variables in a JSP. They can be
    shared between people in different sessions and they never know it.

    GIYF: Java thread safety.

    II.
    Problem number two: Fragile SQL statements that can be hacked using SQL
    injection, intentionally or accidentally. Someone could read your entire
    database with well-known hacks on code like

    > mquery = "select M_USE_ID, M_PRO_ID from M_USER
    > where M_USE_LOG='"+login+"' and M_USE_PAS='"+password+"'";


    All someone has to do is enter a login name of "a' OR 1=1 --" to get in.

    Tsk, tsk.

    III.
    Problem number three, but probably not related to the problem you are seeing:

    > System.out.println(mquery);


    System.out is the console. What do you call the "console" in a Web app? Far
    better to use logging calls.

    IV.
    Problem number four: So much scriptlet in a JSP! Write Java in .java files,
    not .jsp files. Write JSP in JSP files. This is related in the sense that it
    increases the likelihood of bugs like yours, and makes it much harder to fix them.

    - Lew
     
    Lew, Feb 24, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John
    Replies:
    0
    Views:
    337
  2. Replies:
    0
    Views:
    4,504
  3. Trans

    Gateway is malfunctioning

    Trans, Dec 1, 2006, in forum: Ruby
    Replies:
    28
    Views:
    329
    James Edward Gray II
    Dec 5, 2006
  4. vimal
    Replies:
    8
    Views:
    111
    beegee
    Jul 25, 2008
  5. F.R.
    Replies:
    0
    Views:
    187
Loading...

Share This Page