tags:

views:

231

answers:

8
Q: 

How to give entry in the where clause when we use it in webpages?

According to the user's input I want to select the record from the database. This is my code:

<%
String jempid=request.getParameter("empid");
out.println(jempid);
int intempid=1223;
Connection conn=null;
String url="jdbc:mysql://localhost/employees";
Class.forName("com.mysql.jdbc.Driver").newInstance();
conn=DriverManager.getConnection(url,"root","");
Statement st=conn.createStatement();
ResultSet rs=st.executeQuery("select * from empdetails where empnum=jempid");
%>

It throws the following error

javax.servlet.ServletException: java.sql.SQLException: Unknown column 'jempid' in 'where clause

+1  A: 

That looks like too much code in a jsp page.... that said:

... empnum='"+jempid+"');" ......

And also when you are done be sure to close the db too

webclimber  2009-02-20 06:01:14
Yes, @rbobby, but not really relevant to the question.
paxdiablo  2009-02-20 06:10:05
A: 

Try this:

ResultSet rs=st.executeQuery(
    "select * from empdetails where empnum=" + jempid);

You need to put the value of jempid into the string, not the text "jempid".

paxdiablo  2009-02-20 06:01:17
Yes, @rbobby, but not really relevant to the question at hand. We all know you shouldn't allow injection attacks but, if you wanted to cover every way in which an answer was "wrong", they'd all end up being 10,000-word essays.
paxdiablo  2009-02-20 06:12:32
You could just as easily say we should have removed the unnecessary code as well such as "int intempid=1223;" :-)
paxdiablo  2009-02-20 06:13:45
+3  A: 

Here is your select statement:

select * from empdetails where empnum=jempid

jempid is hardcoded instead of being used as a variable. This will never work unless you change it to the variable value entered by the customer.

alter to:

"select * from empdetails where empnum=" + CleanseUserInput(jempid)

and you're good to go.

Chris Ballance  2009-02-20 06:01:32
Thanks for pointing out the sql injection risk
Chris Ballance  2009-02-20 06:14:38
And this is a prime example why you shouldn't cover everything in an answer, @rbobby. What if the jempid were a string? That would require quotes. Better to answer the question at hand rather than trying to cover all bases.
paxdiablo  2009-02-20 06:16:33
@Pax, good point, but devs are notoriously bad for allowing for sql injection attacks.
Chris Ballance  2009-02-20 06:22:54
Still, one up on my answer (and I don't like those new-fangled high-falutin' parameterized queries :-), so +1 for you.
paxdiablo  2009-02-20 06:31:47
A:  
ResultSet 
  rs=st.executeQuery("select * from empdetails where empnum=" + jempid + ";")
Learning  2009-02-20 06:04:21
A: 

Thanks a lot guys.. Ooooooops! what a silly mistake..

 2009-02-20 06:05:44
A:  
"select * from empdetails where empnum="+jempid

But you really want to protect this against SQL injections!

x-way  2009-02-20 06:06:12
+5  A: 

It's a bad idea to construct SQL using string concatenation - you're just opening yourself up to a SQL injection attack -- ESPECIALLY considering that you're getting the value of "empid" directly from the request. Yikes!

A better approach is use a parametrized query such as below:

PreparedStatement st=conn.prepareStatement("select * from empdetails where empnum=?");
st.setString(1, jempid);
ResultSet rs=st.executeQuery();

Also you should check that jempid is not null.

Marc Novakowski  2009-02-20 06:11:11
Good to encompass all cases, but really the only problem here was that he forgot to make jempID a variable. This much effort might further confuse one who wrote the original code.
Chris Ballance  2009-02-20 06:29:22
@Chris, right - but other developers who come here can always learn other ways of doing this.
Shivasubramanian A  2009-02-20 06:35:00
If someone asks you "Hey - why can't I shoot myself in the foot?" -- do you cock the gun or take it away from them?
Marc Novakowski  2009-02-20 07:21:56
Okay maybe a bad analogy, but @Shivasubramanian basically said it - if someone is reading this page either to copy/paste code or (hopefully) to learn, I'd rather have them learn the proper way to construct SQL than just concatenating strings.
Marc Novakowski  2009-02-20 07:26:35
A: 

In contrast to other responses, why not use a PreparedStatement?

Basically, you'll have to code like this:

PreparedStatement st=conn.prepareStatement("select * from empdetails where empnum=?");
st.setString(1, jempId);
ResultSet rs=st.executeQuery();

The reason you should use PreparedStatements is because of SQL Injection issues. For example, using the code you posted in the question, a hacker can always type "1;delete * from empdetails" in the textbox from which you select jempid.

Thus the final query formed would be

select * from empdetails where empnum=1;delete * from empdetails

which would result in all data in empdetails getting deleted.

So always use PreparedStatements!!

Shivasubramanian A  2009-02-20 06:18:32

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?