Answered step by step
Verified Expert Solution
Link Copied!

Question

1 Approved Answer

How do I make a prepared statement with variable binding (aka parameterized queries) for the below code application? I have accessed SQL Injection Prevention Cheat

How do I make a prepared statement with variable binding (aka parameterized queries) for the below code application? I have accessed SQL Injection Prevention Cheat Sheet https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet to see examples of safe code but is unable to use the examples given in my code. If tmaking prepared statements is not possible, how do I change the login portion of this Java code to prevent SQL injection in my database? Please explain the method used. The logon uses an email and a password. I used the email with Or "1=1" to access the database, but the exact password is needed.

import java.io.IOException; import java.io.PrintWriter; import java.sql.Connection; import java.sql.ResultSet; import java.sql.Statement; import javax.servlet.RequestDispatcher; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.apache.derby.jdbc.ClientDataSource; public class Authenticate extends HttpServlet { // variables private String username; private String pword; private Boolean isValid; private int user_id; private HttpSession session; /** * Processes requests for both HTTP GET and POST * methods. * * @param request servlet request * @param response servlet response * @throws ServletException if a servlet-specific error occurs * @throws IOException if an I/O error occurs */ protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html;charset=UTF-8"); try (PrintWriter out = response.getWriter()) { /* TODO output your page here. You may use following sample code. */ out.println(""); out.println(""); out.println(""); out.println("Servlet Authenticate"); out.println(""); out.println(""); out.println("

Servlet Authenticate at " + request.getContextPath() + "

"); out.println("

Results are " + username + "," + isValid + "

"); out.println(""); out.println(""); } } // /** * Handles the HTTP GET method. * * @param request servlet request * @param response servlet response * @throws ServletException if a servlet-specific error occurs * @throws IOException if an I/O error occurs */ @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } /** * Handles the HTTP POST method. * * @param request servlet request * @param response servlet response * @throws ServletException if a servlet-specific error occurs * @throws IOException if an I/O error occurs */ @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // Get the post input this.username = request.getParameter("emailAddress"); this.pword = request.getParameter("pfield"); this.isValid = validate(this.username, this.pword); response.setContentType("text/html;charset=UTF-8"); // Set the session variable if (isValid) { // Create a session object if it is already not created. session = request.getSession(true); session.setAttribute("UMUCUserEmail", username); session.setAttribute("UMUCUserID", user_id); // Send to the Welcome JSP page RequestDispatcher dispatcher = request.getRequestDispatcher("welcome.jsp"); dispatcher.forward(request, response); } else { // Not a valid login // refer them back to the Login screen request.setAttribute("ErrorMessage", "Invalid Username or Password. Try again or contact Jim."); RequestDispatcher dispatcher = request.getRequestDispatcher("login.jsp"); dispatcher.forward(request, response); } } /** * Returns a short description of the servlet. * * @return a String containing servlet description */ @Override public String getServletInfo() { return "Short description"; }// // Method to Authenticate public boolean validate(String name, String pass) { boolean status = false; int hitcnt=0; try { ClientDataSource ds = new ClientDataSource(); ds.setDatabaseName("SDEV"); ds.setServerName("localhost"); ds.setPortNumber(1527); ds.setUser("sdev); ds.setPassword("sdev"); ds.setDataSourceName("jdbc:derby"); Connection conn = ds.getConnection(); Statement stmt = conn.createStatement(); String sql = "select user_id from sdev_users where email = '" + this.username + "'"; ResultSet rs = stmt.executeQuery(sql); while (rs.next()) { user_id = rs.getInt(1); } if (user_id > 0) { String sql2 = "select user_id from user_info where user_id = " + user_id + "and password = '" + this.pword + "'"; ResultSet rs2 = stmt.executeQuery(sql2); while (rs2.next()) { hitcnt++; } // Set to true if userid/password match if(hitcnt>0){ status=true; } } } catch (Exception e) { System.out.println(e); } return status; } }

Step by Step Solution

There are 3 Steps involved in it

Step: 1

blur-text-image

Get Instant Access to Expert-Tailored Solutions

See step-by-step solutions with expert insights and AI powered tools for academic success

Step: 2

blur-text-image_2

Step: 3

blur-text-image_3

Ace Your Homework with AI

Get the answers you need in no time with our AI-driven, step-by-step assistance

Get Started

Recommended Textbook for

Professional Microsoft SQL Server 2014 Administration

Authors: Adam Jorgensen, Bradley Ball

1st Edition

111885926X, 9781118859261

More Books

Students also viewed these Databases questions

Question

What is the aging method?

Answered: 1 week ago