JSP Project with DAO pattern tell me am i on right track

hi i realise i probably cannot get the answer outright but from this code am i on the right track???

package Dxxxx.ActionServlets;

import Dxxxx.DAOs.GardaDAO;
import Dxxxx.Entities.Garda;
import java.io.*;

import javax.servlet.*;
import javax.servlet.http.*;


public class LoginActionServlet extends HttpServlet {


protected void processRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();


String username = request.getParameter("username");
String password = request.getParameter("password");



Garda g = new Garda();

String u = g.getUsername();
String p = g.getPassword();

if (username == u && password == p) {

response.sendRedirect(request.getContextPath() + "/LicenceNoPrompt.jsp");

}

}

protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
processRequest(request, response);
}
}

public interface GardaDAO {

public Garda findByPrimaryKey(String username);

}

package Dxxx.DAOs;

import Dxxx.Entities.Garda;



public class GardaDAOImpl implements GardaDAO {



public Garda findByPrimaryKey(String username){

Garda g = new Garda();

try{

java.lang.Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
java.sql.Connection conn = java.sql.DriverManager.getConnection("jdbc:odbc:PP", "guest", "guest");

java.sql.Statement stmt = conn.createStatement();

String sql = "SELECT username, password FROM garda WHERE username = " + username + ";";

System.out.println(sql);

java.sql.ResultSet rs = stmt.executeQuery(sql);


g = new Garda(rs.getString("username"), rs.getString("password"));

g.setUsername(rs.getString("username"));
g.setPassword(rs.getString("password"));




}catch(java.lang.ClassNotFoundException cnfe){
System.out.println("Class not Found");
}catch(java.sql.SQLException sqle){
System.out.println("SQLException");
}
return g;
}

}

package Dxxxx.Entities;

public class Garda {

String username;
String password;


public Garda() {

}

public Garda(String username, String password){


this.username = username;
this.password = password;
}

public void setUsername(String username) {

this.username = username;
}

public void setPassword(String password) {

this.password = password;
}
public String getUsername() {

return username;
}
public String getPassword() {

return password;
}

}

im trying to basically match parameters from the user entry to the ones that exist on the database.

robfitz

Garda g = new Garda();

String u = g.getUsername();

The Garda object g is empty at this point.

You need to use a GardaDAOImpl object to query the database, using something like this.

GardaDAOImpl gardaDAO = new GardaDAOImpl();
Garda g = gardaDAO.findByPrimaryKey(username);

String u = g.getUsername();

P.S. You should validate the inputs from the user before using them in a query to the database.

robfitz

robfitz wrote:

P.S. You should validate the inputs from the user before using them in a query to the database.

how do you mean by that??? perhaps you cannot answer that.

thanks for replying

lynchie

read up on the differences between object and string comparisons. You are doing them wrong in your servlet.

In your DAOImpl class, you are instaniating your garda class at the beginning, then again after you get the results back from the DB, then you are un necessarliy setting the username and password properties again.

robfitz

Deleted User wrote:

how do you mean by that???

It's a major security risk not to validate input from the user, for more details read up on SQL Injection.

rsynnott

Damn, beaten to it on the SQL injection thing. Is this a real project, or a college thing? If real, you really should read a book or something on the JDBC. At the moment it has a glaring security flaw.

Seth Brundle

Garda object, security flaw.
hmmm

rsynnott

Yes, I noticed that... If it turns out to be that I think I might move country before there's a fencepost error and I'm charged with regicide, or something.

I'm sure it's a college project. Preferably a first year one. I'm sure it is.

*goes and hides in corner*

rsynnott

Sighs in relief: http://www.boards.ie/vbulletin/showpost.php?p=50372262&postcount=8

Seth Brundle

rsynnott wrote:

Sighs in relief: http://www.boards.ie/vbulletin/showpost.php?p=50372262&postcount=8

That doesn't mean that the developers of the Pulse/other state IT contract haven't subbed it out to the lowest bidder!

rsynnott

There are limits to the stupidity and short-sightedness of our government. This is hopefully one of them

hiya

i am currently doing a final year jsp project of a fantasy football website. i am a 3rd yr student of SW dev but we have only being introduced to jsp and servlets this year. our teacher expects us to whip a project up without giving us any help or slowly building up to the level of creating a working web project.

i didnt do to well in the garda assignment monday but have been recieving extra tutorials. 4 (out of a class of 6) are struggling.

i am currently working on the login section of the fantasy football site

package pff.Dao;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.util.Vector;
import pff.entities.User;


public class DatabaseDAOforUserImpl implements DatabaseDAOforUser {


public User findUser() {



User u = new User();

try{
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");


Connection conn = DriverManager.getConnection("jdbc:odbc:football", "guest" , "guest");
java.sql.Statement stmt = conn.createStatement();

String query = "SELECT * FROM User_details WHERE username = '?' AND password ='?'";

ResultSet rs = stmt.executeQuery(query);

while(rs.next()){



u.setUsername(rs.getString("username"));
u.setPassword(rs.getString("password"));



}

conn.close();


}catch(java.lang.ClassNotFoundException cnfe){
System.out.println("Class not Found");
}catch(java.sql.SQLException sqle){
System.out.println("SQLException");
}
return u;
}
}

package pff.Dao;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.util.Vector;
import pff.entities.User;


public class DatabaseDAOforUserImpl implements DatabaseDAOforUser {


public User findUser() {



User u = new User();

try{
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");


Connection conn = DriverManager.getConnection("jdbc:odbc:football", "guest" , "guest");
java.sql.Statement stmt = conn.createStatement();

String query = "SELECT * FROM User_details WHERE username = '?' AND password ='?')";

ResultSet rs = stmt.executeQuery(query);

while(rs.next()){



u.setUsername(rs.getString("username"));
u.setPassword(rs.getString("password"));



}

conn.close();


}catch(java.lang.ClassNotFoundException cnfe){
System.out.println("Class not Found");
}catch(java.sql.SQLException sqle){
System.out.println("SQLException");
}
return u;
}
}

package pff.actionServlets;
import java.io.*;

import javax.servlet.*;
import javax.servlet.http.*;
import pff.Dao.DatabaseDAOforUserImpl;
import pff.entities.User;



public class LoginAction extends HttpServlet {


public void processLogAction(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {

response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();

DatabaseDAOforUserImpl ddao = new DatabaseDAOforUserImpl();

String username = request.getParameter("username");
String password = request.getParameter("password");


User user = ddao.findUser();

if(username.equals(user.getUsername() ))
{
if(password.equals(user.getPassword() ))
{

ServletContext sctx1 = this.getServletContext();

RequestDispatcher rd1 = sctx1.getRequestDispatcher("/Control.jsp");

rd1.forward(request, response);
}

}


else{

ServletContext sctx = this.getServletContext();
RequestDispatcher rd = sctx.getRequestDispatcher("/Error.jsp");

rd.forward(request, response);
}
}

protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {

processLogAction(request, response);
}

protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {

processLogAction(request, response);
}

}

<html>
<head> <title> Premiership Fantasy Football </title>
</head>
<body>

<form name="inputForm" method = "Post" action = "<%=request.getContextPath()%>/LoginAction" %>
Username
<input type="text" name="username">
Password
<input type="password" name="password">
<input type="submit" name="Submit" value="Enter Site">
</form>

</body>
</html>

the if/else password check keeps refering me to the error.jsp page. please help as i cant see where i have gone wrong

lynchie

Suggest you read up on sql / preparedstatements cause your findUser method does nothing. You need to be able to pass in the username of the user to find, use parameters on ur sql query. Your servlet doesnt even pass the username to search for to your dao.

If you cant see whats wrong with it, you should be sticking log statements or System.outs at key points in your code to help you diagnose the problems.

lynchie

lynchie wrote:

Suggest you read up on sql / preparedstatements cause your findUser method does nothing. You need to be able to pass in the username of the user to find, use parameters on ur sql query. Your servlet doesnt even pass the username to search for to your dao.

If you cant see whats wrong with it, you should be sticking log statements or System.outs at key points in your code to help you diagnose the problems.

Lynchie thank you for pointing me in the right direction i have now got that sorted.

I cant thank you enough,. cheers