1
<%@page import="java.sql.*"%>
<%@page import="java.util.*"%>
<%@page import="java.lang.*"%>

<%
String fname=request.getParameter("firstname");
String lname=request.getParameter("lastname");
String bday=request.getParameter("birthday");
String user="";
user = request.getParameter("username");
String pass="";
pass = request.getParameter("password");



try {
if(user.isEmpty() && pass.isEmpty()){
Class.forName("com.mysql.jdbc.Driver");
Connection conn = DriverManager.getConnection("jdbc:mysql://localhost/mydb", "root", "user");

String sql = "Insert into users (firstname, lastname, username, password) values('"+fname+"', '"+lname+"', '"+user+"', '"+pass+"')";
Statement stmt = conn.createStatement();

stmt.execute(sql);

conn.close();
response.sendRedirect("profile.jsp");
}

} catch (ClassNotFoundException e) {
e.printStackTrace();
} catch (SQLException e) {
e.printStackTrace();
}   
%>

<html>
<body>
<form method="post">
First Name:
<input type="text" name="firstname"/>
<br>
Last Name:
<input type = "text" name="lastname"/>
<br>
Birthdate:
Day: <select name="day">
<%
for(int x=1;x<32;x++){
%>
<option value= <% out.println(x); %> ><% out.println(x); %></option>
<%
}
%>
</select>
Month: <select name="month">
<%
for(int y=1;y<13;y++){
%>
<option value= <% out.println(y); %> ><% out.println(y); %></option>
<%
}
%>
</select>
Year: <select name="year">
<%
for(int z=1985;z<2030;z++){
%>
<option value= <% out.println(z); %> ><% out.println(z); %></option>
<%
}
%>
</select>
<br>
Username:
<input type="text" name="username"/>
<br>
Password:
<input type="password" name = "password"/>
<br>
<input type="submit" value="Register"/>
</form>
</body>
</html>

i get the error:

HTTP Status 500 -

type Exception report

message

descriptionThe server encountered an internal error () that prevented it from fulfilling this request.

exception

org.apache.jasper.JasperException: java.lang.NullPointerException root cause

java.lang.NullPointerException

magicianiam
  • 1,474
  • 7
  • 33
  • 70

5 Answers5

7

Leaving the Bobby Tables problem aside, you need to null-check your variables before calling method on them:

if(user != null && !user.isEmpty() && pass != null && !pass.isEmpty()){
}

But before this code gets into production, you owe it to yourself to fix your SQL injection problem. Otherwise, your database is at grave risk of being wiped out by a "scriptie kid" next door. Make your SQL statement parameterized, and bind values to it, rather than embedding the values into the statement.

String sql = "Insert into users (firstname, lastname, username, password) values(?,?,?,?)";
// Bind values to

Finally, it appears that you plan to store passwords in the database. Do not do that, even in a toy database that you do not plan to deploy to the Internet. That's the worst thing that you can do to your customers, even the internal ones. Read this answer to fix this problem.

Community
  • 1
  • 1
Sergey Kalinichenko
  • 714,442
  • 84
  • 1,110
  • 1,523
  • i will work on the sql injection once i get to check if a variable is null. i tried if(user != null) but it proceeds even if the user is null. – magicianiam Feb 25 '13 at 14:53
4

You're not checking user is null. You're assuming it's not null and then checking it's empty. You need to check nullness prior to checking if it's empty.

Perhaps Apache Commons StringUtils.isBlank() may be of use for conciseness/reliability ?

Brian Agnew
  • 268,207
  • 37
  • 334
  • 440
1

Try replacing

if(user.isEmpty() && pass.isEmpty()){

with

if((user != null && pass != null) && (user.isEmpty() && pass.isEmpty())) {
Steve
  • 340
  • 4
  • 16
1

You are assinging an empty String and then replacing it immediately with a new value from request.getParameter. This will overwrite you initialized value, so that if the parameter is null, you will have a null value for user and pass. Then if you call isEmpty on the null String object you will get the NullPointerException

Jimi Kimble
  • 504
  • 5
  • 10
0

Try with isNullOrEmpty() is place of isEmpty()

Manoj Pilania
  • 664
  • 1
  • 7
  • 18