| Author |
is this statement correct?
|
mary bate
Greenhorn
Joined: Jul 30, 2004
Posts: 12
|
|
String employee_name=request.getParameter("employee_name");
String queryText = "insert into sshl_account_application (employee_name)values('" + request.getParameter('employee_name')");
|
 |
Afroz Ahmed
Ranch Hand
Joined: Jan 18, 2004
Posts: 64
|
|
Hai,
The query is not correctly concatenated.Here is the modified one
String employee_name=request.getParameter("employee_name");
String queryText = "insert into sshl_account_application (employee_name)values('" + request.getParameter("employee_name") +"')" ;
|
The value of an idea lies in the usage of it.
|
|
Ameya Thakur
Ranch Hand
Joined: Feb 04, 2004
Posts: 43
|
|
Hi Mary,
The Corrected Query is
String queryText = "insert into sshl_account_application (employee_name) values('" +request.getParameter('employee_name')+")";
Regards
Ameya
|
|
Ameya Thakur
Ranch Hand
Joined: Feb 04, 2004
Posts: 43
|
|
Hi,
String queryText = "insert into sshl_account_application (employee_name) values(" +request.getParameter('employee_name')+")";
Regards
Ameya
|
|
Peter den Haan
author
Ranch Hand
Joined: Apr 20, 2000
Posts: 3252
|
|
Please promise me that this is just some code to play around with, and that you will never, ever allow anything like this into any kind of production environment. Allowing an HTTP request parameter into your SQL text like this means that a malicious user can do anything they like with your database through SQL injection.
In production, you should always use a PreparedStatement here.
- Peter
[ August 05, 2004: Message edited by: Peter den Haan ]
|
|
 |
|
|
subject: is this statement correct?
|
|
|
0
