JSP Servlet login issues

Question

I am having issues with my login validation code. I have the following code that validates the login:

String customer_number=request.getParameter("customerNumber");
String Passphrase=request.getParameter("passphrase");

Class.forName("com.mysql.jdbc.Driver");
java.sql.Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/test","db_erewhon");
Statement st= con.createStatement();
ResultSet rs=st.executeQuery("select * from Customers where customer_number='"+customer_number+"'");
if(rs.next())
{
     if(rs.getString(2).equals(Passphrase)){
           out.println("Welcome"+customer_number);

   }
    else
        {
           out.println("Customer ID or Passphrase are Invalid. Please try again");
        }
    }

I get customer_number cannot be resolved and the same for passphrase. Any ideas? All the variables are correct through out including in the bank database.

Is this a real world application or just some test to learn about JSP? — Luiggi Mendoza, Feb 14 '14 at 15:10
It's a small personal project that wont be used for public use. — Softey, Feb 14 '14 at 15:13
I don't want to be rude, but this is a perfect example of all you shouldn't do: using scriptlets, not respecting the naming conventions, not indenting code, not using prepared statements, stuffing random things in the session, opening a new connection at each request and never closing it. Start by using servlets instead of JSPs for Java code, and at least, the compiler will spot your syntax errors. — JB Nizet, Feb 14 '14 at 15:19
Yep I know the code looks rough and it doesn't follow the variable conventions (wanted to keep the variables the same as they are in the database). It's difficult with indentation as i'm doing this in notepad. Oh and it's the first time i've used this sort of coding so it wont run perfectly but as it's now being used for any useful purpose then I don't think it matters so much. Care to share where I could enhance it? — Softey, Feb 14 '14 at 15:30
@Softey check the update on my answer where I tried to cover all the stuff JBNizet talks about. Also, there's another Q/A about all this at the bottom line. — Luiggi Mendoza, Feb 14 '14 at 15:31

score 3 · Accepted Answer · edited May 23 '17 at 12:05

The problem is here:

session.setAttribute("customer_number",customer_number);

You haven't defined a customer_number variable until the next statement:

String customer_number=request.getParameter("customer_number");

A possible solution may be declaring and initializing the variable and then save it into session:

String customer_number=request.getParameter("customer_number");
session.setAttribute("customer_number",customer_number);

Since you're learning about JSP and Servlets, you should first understand to not use scriptlets in JSP. After knowing this, you should move your business logic into a controller class e.g. a Servlet. The servlet must handle the business logic and other operations to work with the data like login validate (which should be accessed through a POST request, not a GET one), and then it should fire a response to the view e.g. by forwarding to a JSP file.

Also, you should not carelessly open database connections using:

Class.forName("com.mysql.jdbc.Driver");
java.sql.Connection con = 
    DriverManager.getConnection("jdbc:mysql://localhost:3306/test","db_customer_number","db_Passphrase");

Instead use a database connection pool and a DataSource. You can see for more info here: Is it a good idea to put jdbc connection code in servlet class?.

Last but not least, you should use PreparedStatements for queries that require parameters being passed. This is in order to prevent SQL Injection attacks. You can read more about how to use PreparedStatement here: Java - escape string to prevent SQL injection

Related question: Creating a user object from login parameters

thank you for the comprehensive cover of where I am going wrong and I will attempt to follow it. — Softey, Feb 14 '14 at 15:35

JSP Servlet login issues

1 Answers1