Forums Register Login

Error: SQL Exception

+Pie Number of slices to send: Send
The following code genrating an error:

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<%@ page import="java.sql.*" %>
<%@ page import="javax.naming.*" %>
<%@ page import="javax.sql.*" %>



<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>JDBC with JSP</title>
</head>
<body>
<%
ResultSet rs=null;
String output;
String str;
String str1;
try {
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
String dataSourceName = "TestConversion";
String dbURL = "jdbc:odbc:" + dataSourceName;
Connection con = DriverManager.getConnection(dbURL, "","");
// try and create a java.sql.Statement so we can run queries
Statement s = con.createStatement();
str=request.getParameter("fromcur");
str1=request.getParameter("tocur");
rs=s.executeQuery("select Con_Rate From TestConv WHERE From_Currency= '" + str + "' AND WHERE To_Currency= '" + str1 + "' " );
System.out.println(rs);
while(rs.next())
{

%>
<%= output=rs.getString("Con_Rate")%>
<%
}
s.close();
con.close();
}
catch(Exception ex)
{
System.out.println("Database Exception"+ex);

}

%>

</body>
</html>

Error:----> Database Exceptionjava.sql.SQLException: [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression 'From_Currency= 'INR' AND WHERE To_Currency= 'INR''.

Please help
+Pie Number of slices to send: Send
 

rs=s.executeQuery("select Con_Rate From TestConv WHERE From_Currency= '" + str + "' AND WHERE To_Currency= '" + str1 + "' " );

 
+Pie Number of slices to send: Send
Hi,
From_Currency= 'INR' AND WHERE To_Currency= 'INR''.

Error is To_Currency= 'INR''. It should be To_Currency= 'INR' ''.



+Pie Number of slices to send: Send
Hi,

rs=s.executeQuery("select Con_Rate From TestConv WHERE From_Currency= '" + str + "' AND WHERE To_Currency= '" + str1 + "' " );



The second WHERE before "To_Currency" is unnecessary.

And of course as Bear has pointed out refrain from writing Java code in JSP. You can use JST for SQL interaction otherwise.

Regards,
Amit
+Pie Number of slices to send: Send
Hi,
Main error is
Your using Where two times

Should be like this
rs=s.executeQuery("select Con_Rate From TestConv WHERE From_Currency= '" + str + "' AND To_Currency= '" + str1 + "' " );

+Pie Number of slices to send: Send
I really suggest you either start using PreparedStatement or use proper validation yourself on the request parameters, because right now your site is highly susceptible to SQL injection. What would you do if I would send as value for "tocur" the following (and nothing for "fromcur"):
The full query would become this:
Oops! Both statements will be executed, and because the WHERE clause of the second one is always true it will clear your entire table.
That's a very big dog. I think I want to go home now and hug this tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com


reply
reply
This thread has been viewed 1466 times.
Similar Threads
Starting Oracle services through java
How to separate Business Logic from the servlet
data insert problem
Error in request.getParameter
help me!
More...

All times above are in ranch (not your local) time.
The current ranch time is
Mar 28, 2024 19:34:23.