aspose file tools*
The moose likes JDBC and the fly likes Issue in getting a proper result in the ResultSet obj Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Databases » JDBC
Bookmark "Issue in getting a proper result in the ResultSet obj" Watch "Issue in getting a proper result in the ResultSet obj" New topic
Author

Issue in getting a proper result in the ResultSet obj

Saurabh Joshi
Ranch Hand

Joined: Nov 15, 2007
Posts: 37
Hi,

Can you tell me why this is not working


I got agent_val from here : . And when I try to print agent_val by
It give me a Proper value, which is "Leo Joseph"

and the best part is when I write the above query with the static name.......IT WORKS

I dont understand the point, if getParameter is not working then how come it is able to print right value. And if that is not the problem then how come I am able to print correct value through agent_val but the query does not recognize it???

Please Help,
Thanks & Regards,
Saurabh.
[ November 23, 2007: Message edited by: Saurabh Joshi ]
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19718
    
  20

In your first code you are looking for the literal name "agent_val". You probably want to do this:

This is very insecure though, and very open to SQL injection (look it up on Google). This basically means people can execute queries you don't want them to, including dropping your table or database!

You can prevent this by using a PreparedStatement:


SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6
How To Ask Questions How To Answer Questions
Saurabh Joshi
Ranch Hand

Joined: Nov 15, 2007
Posts: 37
Hi Rob,

Thanks for your reply.
I will certianly look into what you have told me
I am getting that value from a drop down box, so is that still very unsecure?

And yes thanks a lot for the update on that line. I know that was a silly mistake.

Please suggest.
Saurabh.
[ November 23, 2007: Message edited by: Saurabh Joshi ]
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336


I am getting that value from a drop down box, so is that still very unsecure?

Yes. It doesn't matter what form control you use. Your form control will just submit a value as text and it is trivial to change that value to something harmful.


JavaRanch FAQ HowToAskQuestionsOnJavaRanch
Saurabh Joshi
Ranch Hand

Joined: Nov 15, 2007
Posts: 37
Ok I will remember this.
thanks.
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19718
    
  20

If someone just follows your webpages then it should be safe. However, nothing prevents him from using some command line tool or anything and making a request with his own, harmful, request parameters.

If you're using GET, he doesn't even need a command line tool - he can just modify the address in the address bar!
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Issue in getting a proper result in the ResultSet obj