Registration page

<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1" %> <%@ page import="java.util.*,java.lang.*"%> <%@ page import="java.sql.*,java.io.*, java.net.*, javax.servlet.http.*"%> <%@ page import="com.test.DBConn"%> <%! public String[] rejStr= {"' or '1'='1","' and '1'='2","'sqlvuln", "' + sqlvuln", "' having 1=1--", "' union select sum(username)from users--","' union select sum(username)"}; %> <%! public boolean userIdExists(String usrId){ boolean flag = false; String Sql = ""; String errMsg=""; if(DBConn.isSqlServer()|| DBConn.isOracle()){ Sql= "select * from test_table where user_id='"+usrId+"'"; } else if(DBConn.isMsAccess ()){ Sql = ""; // follow ms access syntax while writing sql } try{ Connection con = DBConn.getConn(); Statement stmt = con.createStatement(); ResultSet rs = stmt.executeQuery(Sql); while(rs.next()){ flag = true; break; } }catch(Exception e){ errMsg=e.getMessage(); System.out.print(errMsg); } //System.out.println(" Outside rs loop: " + flag); return flag; } %> <%! public boolean isRejStr(String usrId){ boolean flag = false; for(int i= 0 ; i < rejStr.length ; i++ ){ //System.out.print(rejStr[i]+" "); if(usrId.trim().equalsIgnoreCase(rejStr[i])){ flag = true; break; } } return flag; } %> <%!public void insertUserId(String userId, String password){ String Sql = ""; String errMsg=""; //check num of columns .allow nulls for all if(DBConn.isSqlServer()|| DBConn.isOracle()) { Sql= "insert into test_table (user_id, password) values('"+userId+"','"+password+"');"; } else if(DBConn.isMsAccess ()){ Sql = ""; // follow ms access syntax while writing sql } try{ Connection con = DBConn.getConn(); Statement stmt = con.createStatement(); int rs = stmt.executeUpdate(Sql); if(rs>0) System.out.print("Inserted a row with user id:"+userId); }catch(Exception e){ errMsg=e.getMessage(); System.out.print(errMsg); } } %> <% boolean frmSubmit=false; boolean userExists=false; String errMsg=""; StringBuffer sf=new StringBuffer(); String userName=""; int index=-1; String userId= request.getParameter("user_id"); String password=request.getParameter("user_pass"); String confirm=request.getParameter("confirm_pass"); if(userId!=null || password!=null ||confirm!=null){ if(userId.equalsIgnoreCase("") || userId==null){ frmSubmit=true; sf.append("User ID is missing
"); } if(password.equalsIgnoreCase("") || password==null){ frmSubmit=true; sf.append("Password is missing
"); } if(confirm.equalsIgnoreCase("") || confirm==null){ frmSubmit=true; sf.append("Confirm Password field is missing
"); } if(!userId.trim().equalsIgnoreCase("")&& !password.trim().equalsIgnoreCase("")&& !confirm.trim().equalsIgnoreCase("")){ if(!password.equals(confirm)){ frmSubmit=true; sf.append("Passwords do not match
"); } if(userIdExists(userId)){ frmSubmit=true; sf.append("User ID already exists!Choose a different ID."); }else if(userId.indexOf("'")>-1){ frmSubmit=true; sf.append("Invalid User Id!Special characters not allowed"); }else{ frmSubmit=false; //insertUserId(userId, password); session.setAttribute("userId", userId); session.setAttribute("password",password); response.sendRedirect("LoginforSqlServer.jsp"); } } } %>

Home

<%if(frmSubmit==true){%>

Important message!
Error in processing. See below for details.
<%=sf.toString()%>

<%}%>

Enter your details

Please choose a User ID and Password to register

Information gathered about volunteers will only be used for providing Relief Services. This is guaranteed by the Law

Any misuse of the site may lead to penalties under the judicial system.