Issue in getting a proper result in the ResultSet obj
Saurabh Joshi
Ranch Hand
Posts: 37
posted 9 years ago
Hi,
Can you tell me why this is not working
I got agent_val from here : . And when I try to print agent_val by
It give me a Proper value, which is "Leo Joseph"
and the best part is when I write the above query with the static name.......IT WORKS
I dont understand the point, if getParameter is not working then how come it is able to print right value. And if that is not the problem then how come I am able to print correct value through agent_val but the query does not recognize it???
Please Help,
Thanks & Regards,
Saurabh.
[ November 23, 2007: Message edited by: Saurabh Joshi ]
Can you tell me why this is not working
I got agent_val from here : . And when I try to print agent_val by
It give me a Proper value, which is "Leo Joseph"
and the best part is when I write the above query with the static name.......IT WORKS
I dont understand the point, if getParameter is not working then how come it is able to print right value. And if that is not the problem then how come I am able to print correct value through agent_val but the query does not recognize it???
Please Help,
Thanks & Regards,
Saurabh.
[ November 23, 2007: Message edited by: Saurabh Joshi ]
posted 9 years ago
In your first code you are looking for the literal name "agent_val". You probably want to do this:
This is very insecure though, and very open to SQL injection (look it up on Google). This basically means people can execute queries you don't want them to, including dropping your table or database!
You can prevent this by using a PreparedStatement:
This is very insecure though, and very open to SQL injection (look it up on Google). This basically means people can execute queries you don't want them to, including dropping your table or database!
You can prevent this by using a PreparedStatement:
SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6 - OCEJPAD 6
How To Ask Questions How To Answer Questions
Saurabh Joshi
Ranch Hand
Posts: 37
posted 9 years ago
Hi Rob,
Thanks for your reply.
I will certianly look into what you have told me
I am getting that value from a drop down box, so is that still very unsecure?
And yes thanks a lot for the update on that line. I know that was a silly mistake.
Please suggest.
Saurabh.
[ November 23, 2007: Message edited by: Saurabh Joshi ]
Thanks for your reply.
I will certianly look into what you have told me
I am getting that value from a drop down box, so is that still very unsecure?
And yes thanks a lot for the update on that line. I know that was a silly mistake.
Please suggest.
Saurabh.
[ November 23, 2007: Message edited by: Saurabh Joshi ]
posted 9 years ago
If someone just follows your webpages then it should be safe. However, nothing prevents him from using some command line tool or anything and making a request with his own, harmful, request parameters.
If you're using GET, he doesn't even need a command line tool - he can just modify the address in the address bar!
If you're using GET, he doesn't even need a command line tool - he can just modify the address in the address bar!
SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6 - OCEJPAD 6
How To Ask Questions How To Answer Questions
| With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime. |