CSPF-Founder · skoussa · Nov 5, 2019 · Nov 6, 2019 · Nov 6, 2019 · Nov 7, 2019
diff --git a/src/main/java/org/cysecurity/cspf/jvl/controller/EmailCheck.java b/src/main/java/org/cysecurity/cspf/jvl/controller/EmailCheck.java
@@ -10,7 +10,7 @@
 import java.io.PrintWriter;
 import java.sql.Connection;
 import java.sql.ResultSet;
-import java.sql.Statement;
+import java.sql.PreparedStatement;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
@@ -44,8 +44,9 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re
                 if(con!=null && !con.isClosed())
                 {
                     ResultSet rs=null;
-                    Statement stmt = con.createStatement();  
-                    rs=stmt.executeQuery("select * from users where email='"+email+"'");
+                    PreparedStatement stmt = con.prepareStatement("select * from users where email=?");
+                    stmt.setString(1, email);
+                    stmt.executeQuery();
                     if (rs.next()) 
                     {  
                      json.put("available", "1"); 

diff --git a/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java b/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java
@@ -11,6 +11,7 @@
 import java.sql.Connection;
 import java.sql.ResultSet;
 import java.sql.Statement;
+import java.sql.PreparedStatement;
 import javax.servlet.ServletException;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServlet;
@@ -48,8 +49,11 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re
                     if(con!=null && !con.isClosed())
                                {
                                    ResultSet rs=null;
-                                   Statement stmt = con.createStatement();  
-                                   rs=stmt.executeQuery("select * from users where username='"+user+"' and password='"+pass+"'");
+                                   PreparedStatement  stmt = con.prepareStatement("select * from users where username= ? and password=?");
+
+                                   stmt.setString(1, user);
+                                   stmt.setString(2, user);
+                                   stmt.executeQuery();
                                    if(rs != null && rs.next()){
                                    HttpSession session=request.getSession();
                                    session.setAttribute("isLoggedIn", "1");
@@ -71,8 +75,13 @@ protected void processRequest(HttpServletRequest request, HttpServletResponse re
                                    {
                                           response.sendRedirect("ForwardMe?location=/login.jsp&err=Invalid Username or Password");
                                    }
-
-                               }
+                                   ResultSet rs=null;
+                                   Statement stmt = con.createStatement();
+                                   rs=stmt.executeQuery("select * from users where username='"+user+"'");
+                                   if (rs.next())
+                                   {
+                                        //do nothing
+                                   }
                 }
                catch(Exception ex)
                 {