Login Validation for paid and unpaid users with eradication of SQL Injection:
HTML Page:
<html>
<body>
<form action="login.jsp" method="post">
<label>User:</label>
<input type="email" name="uname" required><br>
<label>Password:</label>
<input type="password" name="pass" required><br>
<button type="submit">Login</button>
</form>
</body>
</html>
JSP for Login:
<%@ page import="java.sql.*"%>
<%
String name=request.getParameter("uname"); //getting uname from html page
String pass=request.getParameter("pass"); // getting password from html
if(name==null && pass==null && name=="" && pass=="")
{
out.println("please fill all fields");
}
Connection con=null;
Statement st=null;
ResultSet rs=null;
String sql= " select * from users where users= ' "+name+" ' ";
try
{
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver"); // the driver may differ as this is for ms access.
con=DriverManager.getconnection("jdbc:odbc:DB_Name");
st=con.createStatement();
rs=st.executeQuery(sql);
if(rs.next())
{
String user=rs.getString(1); //getting username from DB
String passwrd=rs.getString(2); //getting password from DB
if (pass.matches(passwrd)) // using matches method for password so that SQL Injection fails.
{
session.setAttribute("userid", user); //setting userid and password as session for filteration.
String verify=rs.getString(9);
if(verify.matches("paid")) // verifying user if paid or not.
{
%>
<jsp:forward page="paiduser.jsp"/> // if user is paid it will go to paid user page else to unpaid user page.
<%
}
else
{
%>
<jsp:forward page="unpaiduser.jsp"/>
<%
}
}
out.println("Oop's! you are not Authenticated Person");
} }
catch(SQLException e1)
{
System.out.println(e1);
}
finally
{
st.close();
con.close();
}
%>
No comments:
Post a Comment