permaculture playing cards*
The moose likes JDBC and the fly likes not able to get values into database Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC
Bookmark "not able to get values into database" Watch "not able to get values into database" New topic
Author

not able to get values into database

Punit Jain
Ranch Hand

Joined: Aug 20, 2011
Posts: 979
    
    2
i m not able to get values into my database, only dob is getting inserted, rest of the field getting 0 value..
here is my code:

RegistrationService.java


RegistrationServlet.java



RegistrationClass.java


and my registration.jsp is simply a registration from..
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
You should not use the JDBC/ODBC driver in web apps; it's buggy, it's slow and -most importantly- not thread-safe. There's also no need to register the driver for each access - do it once in the init method of the servlet and be done with it. And you should close each connection you open (unless you're using a connection pool, but let's get the basics right first before delving into that).

You also urgently need to read up on what SQL injection is, and how to avoid it. The web is a hostile place, and this code invites attacks as it is: http://www.coderanch.com/how-to/java/SecurityFaq#web-apps

Are you getting any error messages in the log files?
Nicola Garofalo
Ranch Hand

Joined: Apr 10, 2010
Posts: 308
May i see please the registration.jsp code? In particular the piece of code where you define the input tags? (txt_name,txt_email,txt_address?)
Thanks


Bye,
Nicola
Punit Jain
Ranch Hand

Joined: Aug 20, 2011
Posts: 979
    
    2
here is my registration.jsp



but the are successfully posting to RegistrationServlet, there i m also simply printing these values, so i don't think so this page will have any problem..
Punit Jain
Ranch Hand

Joined: Aug 20, 2011
Posts: 979
    
    2
thank you...

You should not use the JDBC/ODBC driver in web apps

then which driver i should use??

and no it's not showing me any error, values are inserting into database, but all are 0 except the date of birth..
Nicola Garofalo
Ranch Hand

Joined: Apr 10, 2010
Posts: 308
Everything seems to be ok. what are name,email,address,gender datatypes in your database?
Punit Jain
Ranch Hand

Joined: Aug 20, 2011
Posts: 979
    
    2
ahh, i didn't change my database datatype, it's int...
everything working fine now..
i apologies for this..

one more thing i want to know, if this registration code is for some e-commerce website, how can i provide more security to this???
as well as to login code??
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
Even if it works now, you should follow all the advice I gave in my earlier reply. Don't even think about making this publicly available without addressing the SQL injection vulnerability. And you should definitely read the articles about web app security I linked to (and implement what they tell you). Not doing so might arguably constitute criminal negligence, especially on an e-commerce site.
Rajesh Khan
Ranch Hand

Joined: Oct 16, 2011
Posts: 230
Tim Moores wrote:You should not use the JDBC/ODBC driver in web apps; it's buggy, it's slow and -most importantly- not thread-safe. There's also no need to register the driver for each access - do it once in the init method of the servlet and be done with it. And you should close each connection you open (unless you're using a connection pool, but let's get the basics right first before delving into that).

You also urgently need to read up on what SQL injection is, and how to avoid it. The web is a hostile place, and this code invites attacks as it is: http://www.coderanch.com/how-to/java/SecurityFaq#web-apps

Are you getting any error messages in the log files?

Which one should be preferred if ODBC/JDBC are not to be used??
Punit Jain
Ranch Hand

Joined: Aug 20, 2011
Posts: 979
    
    2
surely i will read..
but still which driver i should use instead of jdbc/odbc???
are you talking about pure java driver (i mean type 4 drivers)..??
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
Yes, type 4 drivers are available free of charge for all major DBs; there's no reason to use the JDBC/ODBC bridge. Plus, OBDC may not be available on the server where this web app will end up running.
Punit Jain
Ranch Hand

Joined: Aug 20, 2011
Posts: 979
    
    2
thank you very much for your help..
one more thing i want to know, i read this page you given, sqlInjuction
is this more then enough to prevent my page from sql injuctions.??
and also here i m not able to use mysql_real_escape_string()..
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
You should not create SQL statements through string concatenation, but use PreparedStatement instead. That's your first line of defence.
Punit Jain
Ranch Hand

Joined: Aug 20, 2011
Posts: 979
    
    2
okay thank you..
i have done with using prepared statement..
well is that only sufficient from sql injunctions??

Martin Vajsar
Sheriff

Joined: Aug 22, 2010
Posts: 3606
    
  60

Punit Jain wrote:okay thank you..
i have done with using prepared statement..
well is that only sufficient from sql injunctions??
Yes, if you always use bind variables (the question marks in the statement text) for every value that came from outside of your program and bind them as a correct type (strings as strings, numbers as numbers, dates as dates etc.), you're once and for all safe from SQL injection attacks.

Note the correct term is SQL injection - the attacker uses specific input that "injects" unwanted (hostile) functionality into your statement. It does not matter much except if you search for resources on this topic the web or in documents, you might miss some because of the misspelling.
Punit Jain
Ranch Hand

Joined: Aug 20, 2011
Posts: 979
    
    2
thank you very much..
have a question, instead of using prepared statement if i used callable statement, they will be more secure because SQL code for a stored procedure is defined and stored in the database itself..??
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
Not really. Access privileges can be tightened down further when using stored procs compared to raw JDBC, but assuming that the DB is only accessible from your own local network -in which case access can be restricted by IP address- security reasons for and against stored procs are probably less important than software architecture concerns.
Punit Jain
Ranch Hand

Joined: Aug 20, 2011
Posts: 979
    
    2
well thank you time for explaining all, now i probably should think that my registration page is secure...
one more thing now it can be fine for an e-commerce site??
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
Security has many facets; you most likely aren't done yet. For example, what have you implemented to prevent cross-site scripting? Do you have SSL set up for everything related to login, payment and user data? Have you read through the "Guide to Building Secure Web Applications" I linked to, and made sure that all that is accounted for?
Punit Jain
Ranch Hand

Joined: Aug 20, 2011
Posts: 979
    
    2

Do you have SSL set up for everything related to login, payment and user data?


but i think this will be provided by the service provider (i mean the domain service provider)...


have you implemented to prevent cross-site scripting


for this i will use some java script..
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
Punit Jain wrote:
Do you have SSL set up for everything related to login, payment and user data?

but i think this will be provided by the service provider (i mean the domain service provider)...

The actual certificate - yes. But you need to ensure that it is being used everywhere by providing proper HTTPS links, and by preventing that any sensitive data is sent (or accepted) via HTTP.

have you implemented to prevent cross-site scripting

for this i will use some java script..

This suggests that you do not understand what cross-site scripting (XSS) is, and that -given how long-standing the problem and its solutions are- you're not yet ready to develop a site for which security is important. XSS prevention has nothing to do with JavaScript - it is done entirely on the server.
Punit Jain
Ranch Hand

Joined: Aug 20, 2011
Posts: 979
    
    2
well any suggestion, any resources where i can learn all these web securities issues and all...?
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
Working through the links on the page I provided in my first post would be a good start.
Punit Jain
Ranch Hand

Joined: Aug 20, 2011
Posts: 979
    
    2
okay...thank you...
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: not able to get values into database
 
Similar Threads
Birth Date nightmare - passing variable between beans and java objects
saving & retreiving image using struts1
Exception in thread "main" org.springframework.beans.factory.BeanCreationException:
Error Creating SessionFactory
Help with Castor