I have a very simple JSP login that passes variables to a servlet and checks from a MySQL database if a username and password are available. Is it safe enough to use on a website, or is more security required? If so, how to make it safer?
This is the servlet:
import java.io.*;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.*;
import java.sql.*;
@WebServlet("/loginServlet")
public class loginServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
public loginServlet() {
super();
}
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
}
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
HttpSession session = request.getSession();
String email = request.getParameter("email");
String pwd = request.getParameter("pass");
try {
Class.forName("com.mysql.jdbc.Driver");
Connection con =
DriverManager.getConnection("jdbc:mysql://localhost:3306/logindb",
"root", "password");
Statement st = con.createStatement();
ResultSet rs;
rs = st.executeQuery("select fname, lname, email from userAccount where Email='"
+ email + "' and password='" + pwd + "'");
if (rs.next()) {
session.setAttribute("email", email);
session.setAttribute("Fullname", rs.getString(1) + " " + rs.getString(2));
response.sendRedirect("success.jsp");
} else {
response.sendRedirect("fail.jsp");
}
} catch (Exception ssd) {
System.out.println(ssd.getMessage());
}
}
}
source
share