Search...
FAQs Subscribe
Pie
FAQs
Recent topics Flagged topics Hot topics Best topics
Search...
Search within JDBC and Relational Databases Search Coderanch
Advance search Google search
Register / Login
permaculture playing cards
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
building better world book advertise on coderanch thread boost meaningless drivel book review grid
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • paul wheaton
  • Ron McLeod
  • Devaka Cooray
Sheriffs:
  • Jeanne Boyarsky
  • Liutauras Vilda
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Carey Brown
  • Piet Souris
Bartenders:

is this statement correct?

 
mary bate
Greenhorn
Posts: 12
posted 20 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
String employee_name=request.getParameter("employee_name");

String queryText = "insert into sshl_account_application (employee_name)values('" + request.getParameter('employee_name')");
 
Afroz Ahmed
Ranch Hand
Posts: 64
posted 20 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
Hai,
The query is not correctly concatenated.Here is the modified one

String employee_name=request.getParameter("employee_name");
String queryText = "insert into sshl_account_application (employee_name)values('" + request.getParameter("employee_name") +"')" ;

The value of an idea lies in the usage of it.

 
Ameya Thakur
Ranch Hand
Posts: 43
posted 20 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
Hi Mary,

The Corrected Query is

String queryText = "insert into sshl_account_application (employee_name) values('" +request.getParameter('employee_name')+")";

Regards

Ameya
 
Ameya Thakur
Ranch Hand
Posts: 43
posted 20 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
Hi,

String queryText = "insert into sshl_account_application (employee_name) values(" +request.getParameter('employee_name')+")";

Regards

Ameya
 
Peter den Haan
author
Posts: 3252
posted 20 years ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator

Please promise me that this is just some code to play around with, and that you will never, ever allow anything like this into any kind of production environment. Allowing an HTTP request parameter into your SQL text like this means that a malicious user can do anything they like with your database through SQL injection.

In production, you should always use a PreparedStatement here.

- Peter
[ August 05, 2004: Message edited by: Peter den Haan ]

Peter den Haan | peterdenhaan.com | quantum computing specialist, Objectivity Ltd

 
Don't get me started about those stupid light bulbs.
reply
reply
    Bookmark Topic Watch Topic
  • New Topic
Boost this thread!
Similar Threads
More...