1

Ok login process with static values not from database it's working. Problem begin when i am trying to do this with database. I was trying to change this query many times and nothing.

ok if i have user :gabrysia and for example password gabrysia999999 in my database. I achieve error like this :org.postgresql.util.PSQLException: Error: column "gabrysia999999" dont exist. . If needed i can show web.xml ,root-context or others files.

<!!!!!!!!  LogonFormController Class   !!!!!!!!!!! >

@RequestMapping(value = "/logonForm.html", method = RequestMethod.POST)
protected String onSubmit(HttpServletRequest request,
        HttpServletResponse response, @Valid LogonCommand logon,
        BindingResult errors, HttpSession session) throws Exception {

    int cookieLife = 60000;

    boolean value = true;
    List<Register> register = rsi.booleancheckUser(logon.getLogin(),
            logon.getPassword());
    for (Register Register : register) {
        if (Register.getUsername().equalsIgnoreCase(logon.getLogin())
                && (Register.getPassword().equals(logon.getPassword()))) {

            value = false;
        }
    }

    if (errors.hasErrors()) {
        return "logonForm";

    } else if (value = true) {
        // wykorzystanie mechanizmĂłw logowania. Koniec z uĹĽyciem
        // System.out
        log.error("no user like login='" + logon.getLogin()
                + "', password='" + logon.getPassword() + "'");
        // Nie tylko walidator może umieszczać opisy błędów w obiekcie
        // typu BindException
        errors.rejectValue("login", null,
                "no user like this loginie or pass");
        return "logonForm";
    } else {
        log.info("user logged");

        if (logon.isRemember()) {
            log.info("remember user in cookie");

            Cookie c1 = new Cookie("login", logon.getLogin());
            c1.setMaxAge(cookieLife);

            response.addCookie(c1);

        } else {

            Cookie c1 = new Cookie("login", null);
            c1.setMaxAge(0);
            response.addCookie(c1);
        }

        session.setAttribute("logInSession", logon);

        return "redirect:/";
    }
}



//operation to take from database login and pass

package app.Spring.dao;
import java.util.List;
import org.hibernate.Criteria;
import org.hibernate.Query;
import org.hibernate.SessionFactory;
import org.hibernate.criterion.Restrictions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.SessionAttributes;
import app.Spring.domain.Register;

@SessionAttributes(value = { "register" })
public class RegisterServiceImpl implements RegisterService {

protected final Logger log = LoggerFactory.getLogger(getClass());

protected SessionFactory sessionFactory;

public void setSessionFactory(SessionFactory sessionFactory) {
    this.sessionFactory = sessionFactory;
}

public void add(Register user) {

    sessionFactory.getCurrentSession().saveOrUpdate(user);
    sessionFactory.getCurrentSession().flush();
}

@Override
public List<Register> booleancheckUser(String login, String password) {

    // Ta funkcja oczywiście powinna korzystać z bazy

    String hqlQuery = "FROM " + Register.class.getName()
            + " v WHERE v.username='" + login + "' AND v.password="
            + password;
    Query query = sessionFactory.getCurrentSession().createQuery(hqlQuery);
    return (List<Register>) query.list();

}

//Register Class

package app.Spring.domain;
import java.io.Serializable;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.Id;
import javax.persistence.Table;

@Entity
@Table(name="register")
public class Register implements Serializable {
/**
 * 
 */
private static final long serialVersionUID = 1L;
private Long user_id;
private String username;
private String password;

public Register() {
}

@Id
@GeneratedValue
@Column(name="user_id")
public Long getId() {
    return user_id;
}
public void setId(Long user_id) {
    this.user_id = user_id;
}

@Column(name="username")
public String getUsername() {
    return username;
}
public void setUsername(String username) {
    this.username = username;
}

@Column(name="password")
public String getPassword() {
    return password;
}
public void setPassword(String password) {
    this.password = password;
}

} }

Ojonugwa Jude Ochalifu
  • 26,627
  • 26
  • 120
  • 132
Wiktor Dębski
  • 188
  • 3
  • 16
  • 1
    Do not concatenate user supplied values into a SQL statement. Use a `PreparedStatement` instead to protect yourself from SQL injection. –  Jan 02 '15 at 22:16
  • Please change your coding style, SQL injection should not be possible in 2015. – Frank Heikens Jan 03 '15 at 05:23

2 Answers2

4

You should add parameters to your queries to prevent all kind of issues including SQL injection.

String hqlQuery = "FROM " + Register.class.getName()
        + " v WHERE v.username=:login AND v.password=:password";

Query query = sessionFactory.getCurrentSession()
        .createQuery(hqlQuery)
        .setParameter("login", login)
        .setParameter("password", password);

return (List<Register>) query.list();

You can read more here.

Najera
  • 2,869
  • 3
  • 28
  • 52
0

You are missing single quotes around your password in the generated HQL, i.e. you are generating this HQL

FROM Register v WHERE v.username='gabrysia' AND v.password=gabrysia999999

It should be this:

FROM Register v WHERE v.username='gabrysia' AND v.password='gabrysia999999'

The error is because it's treating the unquoted value gabrysia999999 as a column

UPDATE

I answered this as the question was asked, but it should be noted as others commenters have mentioned you should be using semantics which prevent SQL injection

Alex
  • 2,435
  • 17
  • 18
  • 1
    The real problem is bad programming, string concatenation to create a user generated piece of SQL. Also called SQL injection... – Frank Heikens Jan 03 '15 at 05:23