Win a copy of Learn Spring Security (video course) this week in the Spring forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Code for Display Calculation salary slip code for eid

 
Ronak Trivedi
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello sir i am trying to code for display salary slip this code is use for inputing eid adn display salary slip but i have no idea what i will do
<%--
Document : Salary
Created on : Mar 24, 2012, 11:27:02 PM
Author : Rushi
--%>

<%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Salary Result</title>
</head>
<body>
<%@ page import="java.sql.*" language="java" %>
<%@ page import="java.io.*"%>
<%
try
{

String eid=null,uname;
String salary,hra,da,pf,gross,net,sal;
String eid2=request.getParameter("eid");
String uname1=request.getParameter("uname");
String salary1=request.getParameter("salary");

Connection con = null;
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
con = DriverManager.getConnection("jdbcdbc:Employee","system","tiger");
Statement stmt = con.createStatement();
ResultSet rs = stmt.executeQuery("select * from EMPLOYEE where eid="+eid2+"");
if(rs.next()){
%>
<table border="1" align="center">
<tr><td>EID</td><td><input type="text" value="<%=rs.getString("eid")%>"> </td></tr>
<tr><td>Uname</td><td><input type="text" value="<%=rs.getString("uname")%>"> </td></tr>
<%
if(?)

{

}

{

}




%>
</body>
</html>
after inputing eid show ename
and calculation of hra da pf gross nsal
suddenly blank please help me sir.
and saving another table
Thank you
 
Tim Moores
Bartender
Posts: 2674
33
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You need to read up urgently on what SQL injection is, and how to prevent it.
 
Sachin Kadian
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

this must be
 
Rob Spoor
Sheriff
Pie
Posts: 20492
54
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No it doesn't. First of all, the () pair is completely useless. It's only required for nesting (mostly of WHERE clauses) and function calls, and your example shows neither. The '' pair is also unnecessary if the employee ID is a numeric value. There still is the danger of SQL injection, but your code doesn't solve that at all.
 
Sachin Kadian
Ranch Hand
Posts: 33
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i am not talking about pair of () but about ' ' .. we must enclose variables in '"++"' i think....
 
Martin Vajsar
Sheriff
Pie
Posts: 3751
62
Chrome Netbeans IDE Oracle
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sachin Kadian wrote:i am not talking about pair of () but about ' ' .. we must enclose variables in '"++"' i think....

No. This is only true for text literals, numeric literals go without quotes.

The code might be working even with numbers enclosed in quotes, but this introduces another potential bug related to implicit conversion. However, compared to the SQL injection vulnerability, this is an insignificant issue.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic