3 replies to this topic

[mutago]

I want to use this code for login such that if count is =>2 let it log me in but it displays the error below

    org.apache.jasper.JasperException: Unable to compile class for JSP:   

      

   An error occurred at line: 39 in the jsp file: /jsp/cyberlog.jsp  

    The type of the expression must be an array type but it resolved to int  

    36: count=rs.getRow();  

    37: //count=rs.getInt(1);  

    38: }  

    39: if(count[0] > 1){  

    40: pw.println("<font color=green size=5>welcome!!!</font>");  

   41: }  

   42: else{  

Here is the code. any help thanks

<%@ page import="java.sql.*" %> 

<%@ page import="java.io.*" %> 

<html> 

<head> 

    <title>login</title>

</head> 

<body>

<%  

response.setContentType("text/html");

PrintWriter pw = response.getWriter();

String username = request.getParameter("username");

String password = request.getParameter("password");

int count=0;


try{




 Class.forName("com.mysql.jdbc.Driver").newInstance();



Connection con=null;

ResultSet rst=null;

Statement stmt=null;



con=DriverManager.getConnection("jdbc:mysql://localhost:3306/vat", "root", "root");




stmt=con.createStatement();

String query = "select count from vat where username='"+username+"' and password='"+password+"'";

System.out.println(query);

ResultSet rs = stmt.executeQuery(query);

while(rs.next()){

count=rs.getRow();

//count=rs.getInt(1);

}

if(count[0] > 1){

pw.println("<font color=green size=5>welcome!!!</font>");

}

else{

pw.println("<font color=red size=5>Please insert valid Username and Password mea!</font>");

}

}


catch(Exception e){

System.out.println(e.getMessage());

}



%> 



thanks

[wim DC]

Because you use the 'count' variable as an array. But it's just in integer. You can't do [x] with it.

count[strike][0][/strike]

Edit: on a side note, you are now vulnerable to SQL-injection.
Logging in with

'OR 1=1 --

Will probably log you in.
Your query that you execute then will look like:

select count from vat where username=''OR 1=1 -- ..pasword stuff

the '--' in the end comments everything that's behind it, so the password isn't checked. What's left is the check whether the username equals '' OR 1=1, thus the where clause is now ALWAYS true and it will return every row.
This can be solved using the PreparedStatement class.

[mutago]

please can u illustrate with example as am confused
thanks

[wim DC]

I hope you're confused about the preparedstatement stuff, and no the count[0] as there isn't much to explain there.
Using preparedstatements is as followed:

PreparedStatement loginQuery= con.prepareStatement("select count from vat where username=? and password=?);

So basicly where you expect user input, put a question mark there.
Then to fill it in:

loginQuery.setString(1, username);

loginQuery.setString(2, password);

ResultSet rs = loginQuery.executeQuery();

Note it is not zero-based, starts with 0.
setString will automatically take care of the single quotes needed in SQL. There are also other methods like setInt, setDouble, setDate, setBlob,...

Using preparedstatements will make sure that user input will never be processed as SQL and the input is purely a variable.