aspose file tools*
The moose likes JDBC and the fly likes Code for Display Calculation salary slip code for eid Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC
Bookmark "Code for Display Calculation salary slip code for eid" Watch "Code for Display Calculation salary slip code for eid" New topic
Author

Code for Display Calculation salary slip code for eid

Ronak Trivedi
Greenhorn

Joined: Feb 23, 2012
Posts: 6
Hello sir i am trying to code for display salary slip this code is use for inputing eid adn display salary slip but i have no idea what i will do
<%--
Document : Salary
Created on : Mar 24, 2012, 11:27:02 PM
Author : Rushi
--%>

<%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Salary Result</title>
</head>
<body>
<%@ page import="java.sql.*" language="java" %>
<%@ page import="java.io.*"%>
<%
try
{

String eid=null,uname;
String salary,hra,da,pf,gross,net,sal;
String eid2=request.getParameter("eid");
String uname1=request.getParameter("uname");
String salary1=request.getParameter("salary");

Connection con = null;
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
con = DriverManager.getConnection("jdbcdbc:Employee","system","tiger");
Statement stmt = con.createStatement();
ResultSet rs = stmt.executeQuery("select * from EMPLOYEE where eid="+eid2+"");
if(rs.next()){
%>
<table border="1" align="center">
<tr><td>EID</td><td><input type="text" value="<%=rs.getString("eid")%>"> </td></tr>
<tr><td>Uname</td><td><input type="text" value="<%=rs.getString("uname")%>"> </td></tr>
<%
if(?)

{

}

{

}




%>
</body>
</html>
after inputing eid show ename
and calculation of hra da pf gross nsal
suddenly blank please help me sir.
and saving another table
Thank you
Tim Moores
Rancher

Joined: Sep 21, 2011
Posts: 2408
You need to read up urgently on what SQL injection is, and how to prevent it.
Sachin Kadian
Ranch Hand

Joined: Jan 24, 2012
Posts: 33

this must be
Rob Spoor
Sheriff

Joined: Oct 27, 2005
Posts: 19794
    
  20

No it doesn't. First of all, the () pair is completely useless. It's only required for nesting (mostly of WHERE clauses) and function calls, and your example shows neither. The '' pair is also unnecessary if the employee ID is a numeric value. There still is the danger of SQL injection, but your code doesn't solve that at all.


SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6
How To Ask Questions How To Answer Questions
Sachin Kadian
Ranch Hand

Joined: Jan 24, 2012
Posts: 33
i am not talking about pair of () but about ' ' .. we must enclose variables in '"++"' i think....
Martin Vajsar
Sheriff

Joined: Aug 22, 2010
Posts: 3611
    
  60

Sachin Kadian wrote:i am not talking about pair of () but about ' ' .. we must enclose variables in '"++"' i think....

No. This is only true for text literals, numeric literals go without quotes.

The code might be working even with numbers enclosed in quotes, but this introduces another potential bug related to implicit conversion. However, compared to the SQL injection vulnerability, this is an insignificant issue.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Code for Display Calculation salary slip code for eid