File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JDBC and the fly likes Error in output Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC
Bookmark "Error in output" Watch "Error in output" New topic
Author

Error in output

Dhivya rajagopal
Ranch Hand

Joined: Dec 15, 2010
Posts: 42
Hi, I have created 1 login form
data source name-loginform
table name - loginforms
The table contains 2 fields - name and password. I have created 3 forms. First form name is "Login".In this form , I have placed 2 labels for user name and password, 1 textfield,1passwordfield, and 4 buttons for submit,clear,exit,login.After entering the values , if i click submit button then the values entered will be stored in database.If i click login button, it displays another form namely "LoginPage".
In this form , I have placed 2 labels for user name and password, 1 textfield,1passwordfield, and 2 buttons for submit and update.After entering the values , if i click submit button , it match both username and password , if both matches, it will show another form namely "WelcomePage".otherwise it will display "invalid username and password".
If i click update button, the text entered in passwordfield should be updated instead of old password.
I entered the following code to update the values.but it shows error

It shows the following error
Exception:java.sql.SQLException: [Microsoft][ODBC SQL Server Driver][SQL Server]The name 'password' is not permitted in this context. Only constants, expressions, or variables allowed here. Column names are not permitted.

Can you please tell me how too resolve the error
Matthew Brown
Bartender

Joined: Apr 06, 2010
Posts: 4460
    
    8

Hi,

OK, first of all, that's not the syntax for a SQL INSERT statement - you need to recheck what it ought to look like.

Secondly, even once you've fixed it that's am injection attack waiting to happen. What happens if someone enters a string with a single quote in it, for instance? Your SQL statement will break (possibly with serious consequences). You should never create a SQL statement by sticking strings together like that. Instead, use a PreparedStatement with bind variables. See http://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html for an example of how to do it.
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19759
    
  20

What do you need to do? Insert a new record, or update an existing? You should use the following syntax for those (for use in PreparedStatement as Matthew suggested):


SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6
How To Ask Questions How To Answer Questions
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Error in output