wood burning stoves 2.0*
The moose likes JDBC and the fly likes is this statement correct? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Databases » JDBC
Bookmark "is this statement correct?" Watch "is this statement correct?" New topic
Author

is this statement correct?

mary bate
Greenhorn

Joined: Jul 30, 2004
Posts: 12
String employee_name=request.getParameter("employee_name");

String queryText = "insert into sshl_account_application (employee_name)values('" + request.getParameter('employee_name')");
Afroz Ahmed
Ranch Hand

Joined: Jan 18, 2004
Posts: 64
Hai,
The query is not correctly concatenated.Here is the modified one

String employee_name=request.getParameter("employee_name");
String queryText = "insert into sshl_account_application (employee_name)values('" + request.getParameter("employee_name") +"')" ;



The value of an idea lies in the usage of it.
Ameya Thakur
Ranch Hand

Joined: Feb 04, 2004
Posts: 43
Hi Mary,

The Corrected Query is

String queryText = "insert into sshl_account_application (employee_name) values('" +request.getParameter('employee_name')+")";

Regards

Ameya
Ameya Thakur
Ranch Hand

Joined: Feb 04, 2004
Posts: 43
Hi,

String queryText = "insert into sshl_account_application (employee_name) values(" +request.getParameter('employee_name')+")";

Regards

Ameya
Peter den Haan
author
Ranch Hand

Joined: Apr 20, 2000
Posts: 3252
Please promise me that this is just some code to play around with, and that you will never, ever allow anything like this into any kind of production environment. Allowing an HTTP request parameter into your SQL text like this means that a malicious user can do anything they like with your database through SQL injection.

In production, you should always use a PreparedStatement here.

- Peter
[ August 05, 2004: Message edited by: Peter den Haan ]
 
Don't get me started about those stupid light bulbs.
 
subject: is this statement correct?
 
Similar Threads
File object
help needed
quoting in queries
setting a string from a Vector
invalid character constant