I got agent_val from here : . And when I try to print agent_val by It give me a Proper value, which is "Leo Joseph"
and the best part is when I write the above query with the static name.......IT WORKS
I dont understand the point, if getParameter is not working then how come it is able to print right value. And if that is not the problem then how come I am able to print correct value through agent_val but the query does not recognize it???
In your first code you are looking for the literal name "agent_val". You probably want to do this:
This is very insecure though, and very open to SQL injection (look it up on Google). This basically means people can execute queries you don't want them to, including dropping your table or database!
You can prevent this by using a PreparedStatement:
I am getting that value from a drop down box, so is that still very unsecure?
Yes. It doesn't matter what form control you use. Your form control will just submit a value as text and it is trivial to change that value to something harmful.
If someone just follows your webpages then it should be safe. However, nothing prevents him from using some command line tool or anything and making a request with his own, harmful, request parameters.
If you're using GET, he doesn't even need a command line tool - he can just modify the address in the address bar!