Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

is this statement correct?

 
mary bate
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
String employee_name=request.getParameter("employee_name");

String queryText = "insert into sshl_account_application (employee_name)values('" + request.getParameter('employee_name')");
 
Afroz Ahmed
Ranch Hand
Posts: 64
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hai,
The query is not correctly concatenated.Here is the modified one

String employee_name=request.getParameter("employee_name");
String queryText = "insert into sshl_account_application (employee_name)values('" + request.getParameter("employee_name") +"')" ;

 
Ameya Thakur
Ranch Hand
Posts: 43
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Mary,

The Corrected Query is

String queryText = "insert into sshl_account_application (employee_name) values('" +request.getParameter('employee_name')+")";

Regards

Ameya
 
Ameya Thakur
Ranch Hand
Posts: 43
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

String queryText = "insert into sshl_account_application (employee_name) values(" +request.getParameter('employee_name')+")";

Regards

Ameya
 
Peter den Haan
author
Ranch Hand
Posts: 3252
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Please promise me that this is just some code to play around with, and that you will never, ever allow anything like this into any kind of production environment. Allowing an HTTP request parameter into your SQL text like this means that a malicious user can do anything they like with your database through SQL injection.

In production, you should always use a PreparedStatement here.

- Peter
[ August 05, 2004: Message edited by: Peter den Haan ]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic