This week's book giveaway is in the Agile and Other Processes forum.
We're giving away four copies of The Journey To Enterprise Agility and have Daryl Kulak & Hong Li on-line!
See this thread for details.
Win a copy of The Journey To Enterprise Agility this week in the Agile and Other Processes forum! And see the welcome thread for 20% off.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Jeanne Boyarsky
  • Liutauras Vilda
  • Campbell Ritchie
  • Tim Cooke
  • Bear Bibeault
Sheriffs:
  • Paul Clapham
  • Junilu Lacar
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Ganesh Patekar
  • Tim Moores
  • Pete Letkeman
  • Stephan van Hulst
Bartenders:
  • Carey Brown
  • Tim Holloway
  • Joe Ess

Pass js value to select where clause  RSS feed

 
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I am trying to take the values from a hidden field created with a js function and pass them into a select...from...where clause and can't seem to get the syntax right. The js function stores the values like ("cat,dog") but for the where clause I need them to be like ("cat","dog"). I am not sure whether this is more a js question or jdbc question, so please forgive me if I am in the wrong forum. I will attach my function. Thanks in advance for any suggestions.
 
author
Bartender
Posts: 4096
21
Eclipse IDE Flex Google Web Toolkit
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm a little worried about your use of JavaScript + JDBC... are you familiar with SQL Injection? The best approach is write JavaScript code that passes to a Java function, which relies on PreparedStatements for any and all queries (sanitizes inputs and helps prevent SQL injection).

For projections (when you want to select specific columns), its better to have the values inserted from within the Java tier and not to pass user input directly such as retrieving all columns from the database and filtering out the unneeded ones, or using logic that inserts a fixed string column name based on the presence or absence of values. Its *never* a good idea to allow user input directly into a SQL statement, just asking for someone to hack your website.



Also, you can use the Java.split() command to split the input on the "," and use a PeparedStatement to properly format the data.
[ May 01, 2008: Message edited by: Scott Selikoff ]
 
M Ryder
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Scott. The javascript function creates a hidden variable which is passed to a servlet. The servlet then pulls the variable into the where clause.
 
Scott Selikoff
author
Bartender
Posts: 4096
21
Eclipse IDE Flex Google Web Toolkit
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But there's no such thing as 'hidden' javascript values. Javascript is wide open and can be easily manipulated. I'm just saying I hope your not putting the text directly into a database query (but if you are, feel free to share this website, since it would be wide open)
[ May 01, 2008: Message edited by: Scott Selikoff ]
 
Author and ninkuma
Marshal
Posts: 66783
168
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Originally posted by M Ryder:
Thanks Scott. The javascript function creates a hidden variable which is passed to a servlet. The servlet then pulls the variable into the where clause.


Trying to have your JavaScript format things as appropriate for JDBC is where your problem lies, Just pass raw data back to the server and let Java code determine what re-formatting is necessary in order to make it work with the JDBC.

Making JDBC considerations visible at the JavaScript layers would be a violations of Separation of Concerns. Your JS shouldn't have to know how the data is to be used,
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!