File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes getting parameter from database but i am getting blank webpage Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "getting parameter from database but i am getting blank webpage" Watch "getting parameter from database but i am getting blank webpage" New topic
Author

getting parameter from database but i am getting blank webpage

sachin pate
Greenhorn

Joined: May 03, 2013
Posts: 18
First.jsp


Search.java


web.xml
Niraj Jha
Ranch Hand

Joined: Feb 20, 2013
Posts: 63

what parameter are you talking about?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39547
    
  27
Your code is wide open to SQL injection attacks. You need to sanitize form parameters, and should use PreparedStatement instead of Statement.

In line 36-39 of the servlet, you need to surround the data you're getting from the DB by quotes, otherwise there's an almost certainty that the HTML will end up broken and non-functional.

What happens if you execute the same SQL statement that the servlet sends directly against the DB?

By the way, it's good practice to call trim() on any str´╗┐ing you receive through an HTML form - people often type extraneous spaces without realizing it.


Ping & DNS - updated with new look and Ping home screen widget
Mansukhdeep Thind
Ranch Hand

Joined: Jul 27, 2010
Posts: 1157

Ulf Dittmer wrote:Your code is wide open to SQL injection attacks. You need to sanitize form parameters, and should use PreparedStatement instead of Statement.


If I may intrude here Ulf, what exactly do you mean by SQL Injection attacks? Do you refer to a scenario where the result set and the actual DB values are out of sync?

@ Sachin :



This is a bad practice. Be as specific as you can about the exception that your code might throw, in this case an SQLException. Otherwise, when you are dealing with an entire application which has hundreds of source files, isolation of the issue becomes tedious.


~ Mansukh
J. Kevin Robbins
Ranch Hand

Joined: Dec 16, 2010
Posts: 632
    
    7

sachin pate wrote:


This will burn you every time. Always put your servlet in a package and use the full class name in the <servlet-class> entry.

Without a package defined you are telling the servlet container to look in the current directory and you have no idea what that is, nor can you control it.


"There is no reason for any individual to have a computer in his home" ~ Ken Olson, Co-founder of DEC, 1977
Jelle Klap
Bartender

Joined: Mar 10, 2008
Posts: 1666
    
    7

Mansukhdeep Thind wrote:
Ulf Dittmer wrote:Your code is wide open to SQL injection attacks. You need to sanitize form parameters, and should use PreparedStatement instead of Statement.

If I may intrude here Ulf, what exactly do you mean by SQL Injection attacks? Do you refer to a scenario where the result set and the actual DB values are out of sync?


No, SQL injection is a security vulnerability, which in this case can be exploited, because the query String is concatenated with unsanitized user input directly and executed using Statement.
To prevent this you should make proper use of PreparedStatement, and add user input as query parameters.

Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: getting parameter from database but i am getting blank webpage
 
Similar Threads
Unable to find specific product
Servlet and XML result HTTP 404
please any one cleare my error
Problem in record viewing
How to retain selected value from dropdown list in same jsp page