Win a copy of Clojure in Action this week in the Clojure forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Pass js value to select where clause

 
M Ryder
Greenhorn
Posts: 9
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I am trying to take the values from a hidden field created with a js function and pass them into a select...from...where clause and can't seem to get the syntax right. The js function stores the values like ("cat,dog") but for the where clause I need them to be like ("cat","dog"). I am not sure whether this is more a js question or jdbc question, so please forgive me if I am in the wrong forum. I will attach my function. Thanks in advance for any suggestions.
 
Scott Selikoff
author
Saloon Keeper
Posts: 3897
16
Eclipse IDE Flex Google Web Toolkit
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm a little worried about your use of JavaScript + JDBC... are you familiar with SQL Injection? The best approach is write JavaScript code that passes to a Java function, which relies on PreparedStatements for any and all queries (sanitizes inputs and helps prevent SQL injection).

For projections (when you want to select specific columns), its better to have the values inserted from within the Java tier and not to pass user input directly such as retrieving all columns from the database and filtering out the unneeded ones, or using logic that inserts a fixed string column name based on the presence or absence of values. Its *never* a good idea to allow user input directly into a SQL statement, just asking for someone to hack your website.



Also, you can use the Java.split() command to split the input on the "," and use a PeparedStatement to properly format the data.
[ May 01, 2008: Message edited by: Scott Selikoff ]
 
M Ryder
Greenhorn
Posts: 9
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Scott. The javascript function creates a hidden variable which is passed to a servlet. The servlet then pulls the variable into the where clause.
 
Scott Selikoff
author
Saloon Keeper
Posts: 3897
16
Eclipse IDE Flex Google Web Toolkit
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But there's no such thing as 'hidden' javascript values. Javascript is wide open and can be easily manipulated. I'm just saying I hope your not putting the text directly into a database query (but if you are, feel free to share this website, since it would be wide open)
[ May 01, 2008: Message edited by: Scott Selikoff ]
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64188
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by M Ryder:
Thanks Scott. The javascript function creates a hidden variable which is passed to a servlet. The servlet then pulls the variable into the where clause.

Trying to have your JavaScript format things as appropriate for JDBC is where your problem lies, Just pass raw data back to the server and let Java code determine what re-formatting is necessary in order to make it work with the JDBC.

Making JDBC considerations visible at the JavaScript layers would be a violations of Separation of Concerns. Your JS shouldn't have to know how the data is to be used,
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic