diff --git a/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java b/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java
index 2331d13..4a0f91d 100644
--- a/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java
+++ b/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java
@@ -6,6 +6,7 @@
package org.cysecurity.cspf.jvl.controller;
+import java.sql.PreparedStatement;
import java.io.IOException;
import java.io.PrintWriter;
import java.sql.Connection;
@@ -48,8 +49,9 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re
if(con!=null && !con.isClosed())
{
ResultSet rs=null;
- Statement stmt = con.createStatement();
- rs=stmt.executeQuery("select * from users where username='"+user+"' and password='"+pass+"'");
+ PreparedStatement stmt = con.prepareStatement("select * from users where username=? and password='"+pass+"'");
+ stmt.setString(1, user);
+ rs=stmt.executeQuery();
if(rs != null && rs.next()){
HttpSession session=request.getSession();
session.setAttribute("isLoggedIn", "1");
diff --git a/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java b/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java
index afa2f83..7d00d4f 100644
--- a/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java
+++ b/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java
@@ -55,7 +55,7 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re
{
Statement stmt = con.createStatement();
- stmt.executeUpdate("INSERT into users(username, password, email, About,avatar,privilege,secretquestion,secret) values ('"+user+"','"+pass+"','"+email+"','"+about+"','default.jpg','user',1,'"+secret+"')");
+ stmt.executeUpdate("INSERT into users(username, password, email, About,avatar,privilege,secretquestion,secret) values ("+stmt.enquoteLiteral(String.valueOf(user))+",'"+pass+"','"+email+"','"+about+"','default.jpg','user',1,'"+secret+"')");
stmt.executeUpdate("INSERT into UserMessages(recipient, sender, subject, msg) values ('"+user+"','admin','Hi','Hi
This is admin of this page.
Welcome to Our Forum')");
response.sendRedirect("index.jsp");
diff --git a/src/main/java/org/cysecurity/cspf/jvl/controller/UsernameCheck.java b/src/main/java/org/cysecurity/cspf/jvl/controller/UsernameCheck.java
index ab1bab7..7cf4c1e 100644
--- a/src/main/java/org/cysecurity/cspf/jvl/controller/UsernameCheck.java
+++ b/src/main/java/org/cysecurity/cspf/jvl/controller/UsernameCheck.java
@@ -6,6 +6,7 @@
package org.cysecurity.cspf.jvl.controller;
+import java.sql.PreparedStatement;
import java.io.IOException;
import java.io.PrintWriter;
import java.sql.Connection;
@@ -48,8 +49,9 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re
if(con!=null && !con.isClosed())
{
ResultSet rs=null;
- Statement stmt = con.createStatement();
- rs=stmt.executeQuery("select * from users where username='"+user+"'");
+ PreparedStatement stmt = con.prepareStatement("select * from users where username=?");
+ stmt.setString(1, user);
+ rs=stmt.executeQuery();
if (rs.next())
{
json.put("available", "1");