This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes JDBC and the fly likes Error in output Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Databases » JDBC
Bookmark "Error in output" Watch "Error in output" New topic

Error in output

Dhivya rajagopal
Ranch Hand

Joined: Dec 15, 2010
Posts: 42
Hi, I have created 1 login form
data source name-loginform
table name - loginforms
The table contains 2 fields - name and password. I have created 3 forms. First form name is "Login".In this form , I have placed 2 labels for user name and password, 1 textfield,1passwordfield, and 4 buttons for submit,clear,exit,login.After entering the values , if i click submit button then the values entered will be stored in database.If i click login button, it displays another form namely "LoginPage".
In this form , I have placed 2 labels for user name and password, 1 textfield,1passwordfield, and 2 buttons for submit and update.After entering the values , if i click submit button , it match both username and password , if both matches, it will show another form namely "WelcomePage".otherwise it will display "invalid username and password".
If i click update button, the text entered in passwordfield should be updated instead of old password.
I entered the following code to update the values.but it shows error

It shows the following error
Exception:java.sql.SQLException: [Microsoft][ODBC SQL Server Driver][SQL Server]The name 'password' is not permitted in this context. Only constants, expressions, or variables allowed here. Column names are not permitted.

Can you please tell me how too resolve the error
Matthew Brown

Joined: Apr 06, 2010
Posts: 4344


OK, first of all, that's not the syntax for a SQL INSERT statement - you need to recheck what it ought to look like.

Secondly, even once you've fixed it that's am injection attack waiting to happen. What happens if someone enters a string with a single quote in it, for instance? Your SQL statement will break (possibly with serious consequences). You should never create a SQL statement by sticking strings together like that. Instead, use a PreparedStatement with bind variables. See for an example of how to do it.
Rob Spoor

Joined: Oct 27, 2005
Posts: 19656

What do you need to do? Insert a new record, or update an existing? You should use the following syntax for those (for use in PreparedStatement as Matthew suggested):

How To Ask Questions How To Answer Questions
Don't get me started about those stupid light bulbs.
subject: Error in output
Similar Threads
Error in output
Problem with dispatch action
which Struts tag?
How to update?
conditionally targetting the client frame based on Server(servlet) program