You need to execute the SQL query by PreparedStatement
instead of Statement
, else your SQL query would break (and be prone to SQL injections as well).
Imagine the following query:
SELECT foo FROM tbl WHERE name = 'O'Reilly'
That would yield a SQL syntax error. You should have seen this if you checked the server logs. You should have seen this on screen when you used a servlet instead of JSP to do the task. With PreparedStatement
the query would be sanitized as follows:
SELECT foo FROM tbl WHERE name = 'O\'Reilly'
This way SQL do understand this query and can execute it without problems.
On the other hand, you need to HTML-escape the results as well, otherwise it will be prone to XSS attacks.
Imagine the following display:
<input type='text' value='${name}'>
if the ${name}
is O'Reilly
, then the HTML would effectively end up as
<input type='text' value='O'Reilly'>
and you would only see the O
. What would happen if the name is '><script>alert('xss')</script><input type='text' value='
? To fix this, use JSTL fn:escapeXml
to display input:
<input type='text' value='${fn:escapeXml(name)}'>
(it's by the way more recommended to use doublequotes instead of singlequotes, the above is just an example)
That said, you should technically also not be doing this inside a JSP file. Raw Java code belongs in a Java class, not a JSP file. JSP is a view technology, use it for the view part only.