Code for Display Calculation salary slip code for eid

Hello sir i am trying to code for display salary slip this code is use for inputing eid adn display salary slip but i have no idea what i will do
<%--
Document : Salary
Created on : Mar 24, 2012, 11:27:02 PM
Author : Rushi
--%>

<%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Salary Result</title>
</head>
<body>
<%@ page import="java.sql.*" language="java" %>
<%@ page import="java.io.*"%>
<%
try
{

String eid=null,uname;
String salary,hra,da,pf,gross,net,sal;
String eid2=request.getParameter("eid");
String uname1=request.getParameter("uname");
String salary1=request.getParameter("salary");

Connection con = null;
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
con = DriverManager.getConnection("jdbc:odbc:Employee","system","tiger");
Statement stmt = con.createStatement();
ResultSet rs = stmt.executeQuery("select * from EMPLOYEE where eid="+eid2+"");
if(rs.next()){
%>
<table border="1" align="center">
<tr><td>EID</td><td><input type="text" value="<%=rs.getString("eid")%>"> </td></tr>
<tr><td>Uname</td><td><input type="text" value="<%=rs.getString("uname")%>"> </td></tr>
<%
if(?)

{

}

{

}




%>
</body>
</html>
after inputing eid show ename
and calculation of hra da pf gross nsal
suddenly blank please help me sir.
and saving another table
Thank you

You need to read up urgently on what SQL injection is, and how to prevent it.

ResultSet rs = stmt.executeQuery("select * from EMPLOYEE where eid="+eid2+"");
this must be
ResultSet rs = stmt.executeQuery("select * from EMPLOYEE where eid=('"+eid2+"')");

No it doesn't. First of all, the () pair is completely useless. It's only required for nesting (mostly of WHERE clauses) and function calls, and your example shows neither. The '' pair is also unnecessary if the employee ID is a numeric value. There still is the danger of SQL injection, but your code doesn't solve that at all.

i am not talking about pair of () but about ' ' .. we must enclose variables in '"++"' i think....

Sachin Kadian wrote:i am not talking about pair of () but about ' ' .. we must enclose variables in '"++"' i think....

No. This is only true for text literals, numeric literals go without quotes.

The code might be working even with numbers enclosed in quotes, but this introduces another potential bug related to implicit conversion. However, compared to the SQL injection vulnerability, this is an insignificant issue.