Code for Display Calculation salary slip code for eid
Ronak Trivedi
Greenhorn
Joined: Feb 23, 2012
Posts: 6
posted
0
Hello sir i am trying to code for display salary slip this code is use for inputing eid adn display salary slip but i have no idea what i will do
<%--
Document : Salary
Created on : Mar 24, 2012, 11:27:02 PM
Author : Rushi
--%>
Connection con = null;
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
con = DriverManager.getConnection("jdbcdbc:Employee","system","tiger");
Statement stmt = con.createStatement();
ResultSet rs = stmt.executeQuery("select * from EMPLOYEE where eid="+eid2+"");
if(rs.next()){
%>
<table border="1" align="center">
<tr><td>EID</td><td><input type="text" value="<%=rs.getString("eid")%>"> </td></tr>
<tr><td>Uname</td><td><input type="text" value="<%=rs.getString("uname")%>"> </td></tr>
<%
if(?)
{
}
{
}
%>
</body>
</html>
after inputing eid show ename
and calculation of hra da pf gross nsal
suddenly blank please help me sir.
and saving another table
Thank you
Tim Moores
Rancher
Joined: Sep 21, 2011
Posts: 2407
posted
1
You need to read up urgently on what SQL injection is, and how to prevent it.
No it doesn't. First of all, the () pair is completely useless. It's only required for nesting (mostly of WHERE clauses) and function calls, and your example shows neither. The '' pair is also unnecessary if the employee ID is a numeric value. There still is the danger of SQL injection, but your code doesn't solve that at all.
Sachin Kadian wrote:i am not talking about pair of () but about ' ' .. we must enclose variables in '"++"' i think....
No. This is only true for text literals, numeric literals go without quotes.
The code might be working even with numbers enclosed in quotes, but this introduces another potential bug related to implicit conversion. However, compared to the SQL injection vulnerability, this is an insignificant issue.
0
dbc:Employee","system","tiger");
