验证servlet

时间:2012-11-28 09:54:54

标签: html mysql servlets

我要用form.n来获取用户名n密码。我用mysql table中存储的用户名n密码验证它。但是没有被执行...有人能告诉我什么是错的??? thnx快速回复.. ;-)

*package mypack;
    import java.io.IOException;
    import java.sql.Connection;
    import java.sql.DriverManager;
    import java.sql.PreparedStatement;
    import java.sql.ResultSet;
    import java.sql.Statement;
    import javax.servlet.ServletException;
    import javax.servlet.http.HttpServlet;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    /**
     * Servlet implementation class SaveServlet
     */
    public class SaveServlet extends HttpServlet {
        private static final long serialVersionUID = 1L;
        /**
         * Default constructor. 
         */
        public SaveServlet() {
            // TODO Auto-generated constructor stub
        }
        /**
         * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
         */
        protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
            // TODO Auto-generated method stub
            String u = request.getParameter("username");
            String p=request.getParameter("password");
            System.out.println(u);
            System.out.println(p);
            String c="jdbc:mysql://localhost:3306/test";
            Connection con=null;
            try{
                Class.forName("com.mysql.jdbc.Driver").newInstance();

                con = DriverManager.getConnection(c, "root", "MyNewPass");
                PreparedStatement pst=con.prepareStatement("select * from userinfo where username="+u+" and password="+p+";");
                System.out.println("inside resultset");
                ResultSet rs=pst.executeQuery(); 
                System.out.println("inside resultset");
                while(rs.next())
                {
                    System.out.println("inside resultset");

                }
            }
                catch (Exception e) {
                    // TODO: handle exception
                    System.out.println("Failed");
                }

        }
        /**
         * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
         */
        protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
            // TODO Auto-generated method stub
            doGet(request, response);
        }
    }*

HTML

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script type="text/javascript">


function validate(){
    var x = document.forms["form1"]["username"].value;
    if (x == null || x == "") {
        alert("Fill the User Id to Login");
        return false;
    }
    var y = document.forms["form1"]["password"].value;
    if (y == null || y == "") {
        alert("Password Please");
        return false;
    }

    else{

        document.form1.submit();
        return true;


}

}
</script>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<body>
<center>
<form action="SaveServlet" name="form1">username &nbsp;&nbsp;&nbsp; <input
    type="text" name="username" /> <br>
<br>
password &nbsp;&nbsp;&nbsp; <input type="password" name="password"></input><br>
<br>
&nbsp;&nbsp;&nbsp; <input type="button" value="login" onclick="validate()"> &nbsp;&nbsp;&nbsp;</form>
</center>
</body>
</html>

3 个答案:

答案 0 :(得分:0)

这将导致sql注入。 您需要使用PreparedStament来执行查询

首先应进行以下更改:

Object  u_obj = request.getParameter("username");
Object  p_obj = request.getParameter("password");

 String u = u_obj==null?"":u_obj;
 String p = p_obj==null?"":p_obj;

其次:

PreparedStatement pst=con.prepareStatement("select * from userinfo where username="+u+" and password="+p+";");

应替换为:

  PreparedStatement pst=con.prepareStatement("select * from userinfo where username=? and password=?");
pst.setString(1,u);
pst.setString(2,p);

答案 1 :(得分:0)

概率是查询语法...将其更改为

"select * from userinfo where username='"+u+"' and password='"+p+"'";

更正了servlet ...

package mypack;

import java.io.IOException;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.Statement;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
 * Servlet implementation class SaveServlet
 */
public class SaveServlet extends HttpServlet {
    private static final long serialVersionUID = 1L;

    /**
     * Default constructor. 
     */
    public SaveServlet() {
        // TODO Auto-generated constructor stub
    }

    /**
     * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
     */
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        // TODO Auto-generated method stub
        String u = request.getParameter("username");
        String p=request.getParameter("password");
        System.out.println("USER-->"+u);
        ResultSet rs;
        String q="select * from userinfo where username='"+u+"' and password='"+p+"'";
        Connection con=null;



        String c="jdbc:mysql://localhost:3306/test";

        try{

            Class.forName("com.mysql.jdbc.Driver").newInstance();
            con = DriverManager.getConnection(c, "root", "MyNewPass");
            System.out.println("connection done");


            PreparedStatement ps=con.prepareStatement(q);
            System.out.println(q);
            rs=ps.executeQuery();
            System.out.println("done2");
            while (rs.next()) {
               System.out.println(rs.getString(1));
               System.out.println(rs.getString(2));

            }

        }
            catch (Exception e) {
                // TODO: handle exception
                System.out.println("Failed");
            }

    }

    /**
     * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
     */
    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        // TODO Auto-generated method stub
        doGet(request, response);
    }

}

答案 2 :(得分:0)

试试这个:

package mypack;
    import java.io.IOException;
    import java.sql.Connection;
    import java.sql.DriverManager;
    import java.sql.PreparedStatement;
    import java.sql.ResultSet;
    import java.sql.Statement;
    import javax.servlet.ServletException;
    import javax.servlet.http.HttpServlet;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    /**
     * Servlet implementation class SaveServlet
     */
    public class SaveServlet extends HttpServlet {
        private static final long serialVersionUID = 1L;
        /**
         * Default constructor. 
         */
        public SaveServlet() {
            // TODO Auto-generated constructor stub
        }
        /**
         * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
         */
        protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
            // TODO Auto-generated method stub
            String u = request.getParameter("username");
            String p=request.getParameter("password");
            System.out.println(u);
            System.out.println(p);
            String c="jdbc:mysql://localhost:3306/test";
            Connection con=null;
            try{
                Class.forName("com.mysql.jdbc.Driver").newInstance();
               String sql =  "select * from userinfo where username=? and password=?";
                con = DriverManager.getConnection(c, "root", "MyNewPass");
                PreparedStatement pst =con.prepareStatement(sql);
                pst.setString(1,u);
                pst.setString(2,p);
                System.out.println("inside resultset");
                ResultSet rs=pst.executeQuery(); 
                System.out.println("inside resultset");
                while(rs.next())
                {
                    System.out.println("inside resultset");

                }
            }
                catch (Exception e) {
                    // TODO: handle exception
                    System.out.println("Failed");
                }

        }
        /**
         * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
         */
        protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
            // TODO Auto-generated method stub
            doGet(request, response);
        }
    }*