• Post Reply Bookmark Topic Watch Topic
  • New Topic

sending prepared statement objects to custom tags  RSS feed

 
Tim McGuire
Ranch Hand
Posts: 820
IntelliJ IDE Tomcat Server VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We have a bunch of custom tags that accept query strings. If I want to send a prepared statement object instead of a string, is it a better practice to convert my prepared statement into a string for use with the tags or to modify the code behind the tag so that it can handle a prepared statement?
Thanks!
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It's better to remove all database knowledge from you JSPs entirely.
Personally I wouldn't give tags any knowledge about the database either.
There would be a separate layer (some people insist on using beans, but I avoid this too) the would know about the database. You delegate to it to load the required data from the parameters you provide it, then it returns objects which you use in your JSP, tags and beans to provide presentation.
Dave
 
Tim McGuire
Ranch Hand
Posts: 820
IntelliJ IDE Tomcat Server VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
OK. So, the thing to do would be have a class that handles the database query and sends a result object back to the jsp page. The tag on the jsp page would then accept that result object as an attribute and build the drop down list or report table from that. Makes sense to me.
 
David O'Meara
Rancher
Posts: 13459
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Except that if you are sending the SQL query from the JSP, that still represents knowledge about the database in the JSP. It could also create a security risk if users manage to substitute their own malicious SQL for your own. (This is one of the most common security holes in web applications, not just Java)
Can you have a Class being responsible for a single SQL operation and just pass the parameters for that query?
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!