This week's book giveaway is in the OCMJEA forum.
We're giving away four copies of OCM Java EE 6 Enterprise Architect Exam Guide and have Paul Allen & Joseph Bambara on-line!
See this thread for details.
The moose likes JDBC and the fly likes Error in output Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCM Java EE 6 Enterprise Architect Exam Guide this week in the OCMJEA forum!
JavaRanch » Java Forums » Databases » JDBC
Bookmark "Error in output" Watch "Error in output" New topic
Author

Error in output

Dhivya rajagopal
Ranch Hand

Joined: Dec 15, 2010
Posts: 42
Hi, I have created 1 login form
data source name-loginform
table name - loginforms
The table contains 2 fields - name and password. I have created 3 forms. First form name is "Login".In this form , I have placed 2 labels for user name and password, 1 textfield,1passwordfield, and 4 buttons for submit,clear,exit,login.After entering the values , if i click submit button then the values entered will be stored in database.If i click login button, it displays another form namely "LoginPage".
In this form , I have placed 2 labels for user name and password, 1 textfield,1passwordfield, and 2 buttons for submit and update.After entering the values , if i click submit button , it match both username and password , if both matches, it will show another form namely "WelcomePage".otherwise it will display "invalid username and password".
If i click update button, the text entered in passwordfield should be updated instead of old password.
I entered the following code to update the values.but it shows error

It shows the following error
Exception:java.sql.SQLException: [Microsoft][ODBC SQL Server Driver][SQL Server]The name 'password' is not permitted in this context. Only constants, expressions, or variables allowed here. Column names are not permitted.

Can you please tell me how too resolve the error
Matthew Brown
Bartender

Joined: Apr 06, 2010
Posts: 4377
    
    8

Hi,

OK, first of all, that's not the syntax for a SQL INSERT statement - you need to recheck what it ought to look like.

Secondly, even once you've fixed it that's am injection attack waiting to happen. What happens if someone enters a string with a single quote in it, for instance? Your SQL statement will break (possibly with serious consequences). You should never create a SQL statement by sticking strings together like that. Instead, use a PreparedStatement with bind variables. See http://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html for an example of how to do it.
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19685
    
  20

What do you need to do? Insert a new record, or update an existing? You should use the following syntax for those (for use in PreparedStatement as Matthew suggested):


SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6
How To Ask Questions How To Answer Questions
 
Don't get me started about those stupid light bulbs.
 
subject: Error in output