Hi, I have created 1 login form
data source name-loginform
table name - loginforms
The table contains 2 fields - name and password. I have created 3 forms. First form name is "Login".In this form , I have placed 2 labels for user name and password, 1 textfield,1passwordfield, and 4 buttons for submit,clear,exit,login.After entering the values , if i click submit button then the values entered will be stored in database.If i click login button, it displays another form namely "LoginPage".
In this form , I have placed 2 labels for user name and password, 1 textfield,1passwordfield, and 2 buttons for submit and update.After entering the values , if i click submit button , it match both username and password , if both matches, it will show another form namely "WelcomePage".otherwise it will display "invalid username and password".
If i click update button, the text entered in passwordfield should be updated instead of old password.
I entered the following code to update the values.but it shows error
It shows the following error
Exception:java.sql.SQLException: [Microsoft][ODBC SQL Server Driver][SQL Server]The name 'password' is not permitted in this context. Only constants, expressions, or variables allowed here. Column names are not permitted.
OK, first of all, that's not the syntax for a SQL INSERT statement - you need to recheck what it ought to look like.
Secondly, even once you've fixed it that's am injection attack waiting to happen. What happens if someone enters a string with a single quote in it, for instance? Your SQL statement will break (possibly with serious consequences). You should never create a SQL statement by sticking strings together like that. Instead, use a PreparedStatement with bind variables. See http://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html for an example of how to do it.