How to use the update statement in my jsp

Question

Hello All,

I am having an update statament in my jsp. The problem is that when I am changing the whole fields in the jsp and executed the update statament, the DB will be updated, but when I am updating a certain field, the other fields will be "" in the SQL statement. Also, I am having a problem is that I am having a miss match in the date, so what is the best format to be applied in the SQL statement in my jsp.

FOr the first problem: HTML Code:

<select size="1" name="Nationality" class="content">
        <option selected value="<%=Nationality%>"><%=Nationality%></option>

<%

     try
     {

        ResultSet rs=null;

        Statement st1=null;

        String query = "select country_code, nationality_name from nationality_lkup ";

        st1 = conn1.createStatement();

        rs = st1.executeQuery(query);

        while(rs.next())    
    {

%>
    <option value="<%=rs.getString("country_code")%>" >
        <%=rs.getString("nationality_name")%></option>
<%
        }

    }
    catch (Exception e) {
      e.printStackTrace();
    }
%>

            </select>

and the update statament is:

String  sz_SQLUpdate = "UPDATE cir SET";
z_SQLUpdate = sz_SQLUpdate  + " , nationality ='"+Nationality+"'";

Also, how can I deal with the date format in the update statement?

Answer 1

but when I am updating a certain field, the other fields will be "" in the SQL statement.

I am not sure if this is the complete code (the SQL shown as far would have produced a SQL syntax exception when executed), but you should at least not put a comma between SET and the first column name.

If the SQL is actually syntactically valid, then it may simply mean that those variables are empty at the moment you access them to inline in the SQL statement. You should either prefill those variables or just leave the associated columns away from the SQL query if those don't need to be updated.

Also, I am having a problem is that I am having a miss match in the date, so what is the best format to be applied in the SQL statement in my jsp.

The best approach is to not worry about the format and just set a fullworthy Java object representing a timestamp in the SQL statement using PreparedStatement#setTimestamp(). Also see this recent question.

---

That said, you have two major problems in the code.

1. Raw Java code in JSP files should be avoided. It only leads to trouble in all colors, not only for you, but also for others, now and in the future.

2. This SQL is sensitive to SQL injection attacks and the JDBC code is prone to resource leaking.

It's going to be a long story to explain how to do things properly, so here are just a few links to go through carefully yourself so that you get the picture how to do things properly.

• Beginning and intermediate JSP/Servlet tutorials
• How to avoid Java code in JSP files
• JSP/Servlet best practices
• Using prepared statements in JDBC

You should probably throw away that old fashioned JSP tutorial/book you're currently reading.