/* * To change this template, choose Tools | Templates * and open the template in the editor. */ package servlets; import dao.JdbcConnection; import java.io.IOException; import java.sql.Connection; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; import java.util.logging.Level; import java.util.logging.Logger; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * * This servlet is used to demonstrate SQL injection attacks. * * * @author mark */ @WebServlet(name="AwesomeLoginServlet", urlPatterns = {"/awesomelogin"}) public class AwesomeLoginServlet extends HttpServlet { /** * Processes requests for both HTTP * <code>GET</code> and * <code>POST</code> methods. * * @param request servlet request * @param response servlet response * @throws ServletException if a servlet-specific error occurs * @throws IOException if an I/O error occurs */ protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html;charset=UTF-8"); String username = request.getParameter("username"); String password = request.getParameter("password"); String sql = "select name from users where username = '" + username + "' and password = '" + password + "';"; System.out.println(sql); try ( Connection con = JdbcConnection.getConnection(getServletContext()); Statement s = con.createStatement(); ResultSet rs = s.executeQuery(sql); ) { if (rs.next()) { String result = rs.getString("name"); request.getSession().setAttribute("user", result); response.sendRedirect("welcome.jsp"); } else { response.sendRedirect("awesome_login.jsp?login=fail"); } } catch (SQLException ex) { Logger.getLogger(LoginServlet.class.getName()).log(Level.SEVERE, null, ex); } } // <editor-fold defaultstate="collapsed" desc="HttpServlet methods. Click on the + sign on the left to edit the code."> /** * Handles the HTTP * <code>GET</code> method. * * @param request servlet request * @param response servlet response * @throws ServletException if a servlet-specific error occurs * @throws IOException if an I/O error occurs */ @Override protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } /** * Handles the HTTP <code>POST</code> method. * @param request servlet request * @param response servlet response * @throws ServletException if a servlet-specific error occurs * @throws IOException if an I/O error occurs */ @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { processRequest(request, response); } /** * Returns a short description of the servlet. * @return a String containing servlet description */ @Override public String getServletInfo() { return "Short description"; }// </editor-fold> }