aspose file tools*
The moose likes JDBC and the fly likes Pass js value to select where clause Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Databases » JDBC
Bookmark "Pass js value to select where clause" Watch "Pass js value to select where clause" New topic
Author

Pass js value to select where clause

M Ryder
Greenhorn

Joined: May 01, 2008
Posts: 9
Hi,
I am trying to take the values from a hidden field created with a js function and pass them into a select...from...where clause and can't seem to get the syntax right. The js function stores the values like ("cat,dog") but for the where clause I need them to be like ("cat","dog"). I am not sure whether this is more a js question or jdbc question, so please forgive me if I am in the wrong forum. I will attach my function. Thanks in advance for any suggestions.
Scott Selikoff
author
Saloon Keeper

Joined: Oct 23, 2005
Posts: 3716
    
    5

I'm a little worried about your use of JavaScript + JDBC... are you familiar with SQL Injection? The best approach is write JavaScript code that passes to a Java function, which relies on PreparedStatements for any and all queries (sanitizes inputs and helps prevent SQL injection).

For projections (when you want to select specific columns), its better to have the values inserted from within the Java tier and not to pass user input directly such as retrieving all columns from the database and filtering out the unneeded ones, or using logic that inserts a fixed string column name based on the presence or absence of values. Its *never* a good idea to allow user input directly into a SQL statement, just asking for someone to hack your website.



Also, you can use the Java.split() command to split the input on the "," and use a PeparedStatement to properly format the data.
[ May 01, 2008: Message edited by: Scott Selikoff ]

My Blog: Down Home Country Coding with Scott Selikoff
M Ryder
Greenhorn

Joined: May 01, 2008
Posts: 9
Thanks Scott. The javascript function creates a hidden variable which is passed to a servlet. The servlet then pulls the variable into the where clause.
Scott Selikoff
author
Saloon Keeper

Joined: Oct 23, 2005
Posts: 3716
    
    5

But there's no such thing as 'hidden' javascript values. Javascript is wide open and can be easily manipulated. I'm just saying I hope your not putting the text directly into a database query (but if you are, feel free to share this website, since it would be wide open)
[ May 01, 2008: Message edited by: Scott Selikoff ]
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61761
    
  67

Originally posted by M Ryder:
Thanks Scott. The javascript function creates a hidden variable which is passed to a servlet. The servlet then pulls the variable into the where clause.

Trying to have your JavaScript format things as appropriate for JDBC is where your problem lies, Just pass raw data back to the server and let Java code determine what re-formatting is necessary in order to make it work with the JDBC.

Making JDBC considerations visible at the JavaScript layers would be a violations of Separation of Concerns. Your JS shouldn't have to know how the data is to be used,


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Pass js value to select where clause