Issue in getting a proper result in the ResultSet obj

Hi,

Can you tell me why this is not working

ResultSet rs = stat.executeQuery("SELECT \"Agent_ID\" from \"Opex_Agent_B\" where \"Agent_Name\"='agent_val'");
I got agent_val from here : String agent_val = req.getParameter("agent_drp_dwn");. And when I try to print agent_val by System.out.println("Agent Name: " + agent_val);
It give me a Proper value, which is "Leo Joseph"

and the best part is when I write the above query with the static name.......IT WORKS
ResultSet rs = stat.executeQuery("SELECT \"Agent_ID\" from \"Opex_Agent_B\" where \"Agent_Name\"='Leo Joseph'");
I dont understand the point, if getParameter is not working then how come it is able to print right value. And if that is not the problem then how come I am able to print correct value through agent_val but the query does not recognize it???

Please Help,
Thanks & Regards,
Saurabh.
[ November 23, 2007: Message edited by: Saurabh Joshi ]

In your first code you are looking for the literal name "agent_val". You probably want to do this:
ResultSet rs = stat.executeQuery("SELECT \"Agent_ID\" from \"Opex_Etrade_Agent_B\" where \"Agent_Name\"='" + agent_val + "'");
This is very insecure though, and very open to SQL injection (look it up on Google). This basically means people can execute queries you don't want them to, including dropping your table or database!

You can prevent this by using a PreparedStatement:
PreparedStatement stat = connection.prepareStatement("SELECT \"Agent_ID\" FROM \"Opex_Etrade_Agent_B\" WHERE \"Agent_Name\"=?"); stat.setString(1, agent_val); ResultSet rs = stat.executeQuery();

Hi Rob,

Thanks for your reply.
I will certianly look into what you have told me
I am getting that value from a drop down box, so is that still very unsecure?

And yes thanks a lot for the update on that line. I know that was a silly mistake.

Please suggest.
Saurabh.
[ November 23, 2007: Message edited by: Saurabh Joshi ]

I am getting that value from a drop down box, so is that still very unsecure?

Yes. It doesn't matter what form control you use. Your form control will just submit a value as text and it is trivial to change that value to something harmful.

Ok I will remember this.
thanks.

If someone just follows your webpages then it should be safe. However, nothing prevents him from using some command line tool or anything and making a request with his own, harmful, request parameters.

If you're using GET, he doesn't even need a command line tool - he can just modify the address in the address bar!