• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

getting parameter from database but i am getting blank webpage

 
sachin pate
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
First.jsp


Search.java


web.xml
 
Niraj Jha
Ranch Hand
Posts: 63
Java Spring Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
what parameter are you talking about?
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Your code is wide open to SQL injection attacks. You need to sanitize form parameters, and should use PreparedStatement instead of Statement.

In line 36-39 of the servlet, you need to surround the data you're getting from the DB by quotes, otherwise there's an almost certainty that the HTML will end up broken and non-functional.

What happens if you execute the same SQL statement that the servlet sends directly against the DB?

By the way, it's good practice to call trim() on any str´╗┐ing you receive through an HTML form - people often type extraneous spaces without realizing it.
 
Mansukhdeep Thind
Ranch Hand
Posts: 1158
Eclipse IDE Firefox Browser Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ulf Dittmer wrote:Your code is wide open to SQL injection attacks. You need to sanitize form parameters, and should use PreparedStatement instead of Statement.


If I may intrude here Ulf, what exactly do you mean by SQL Injection attacks? Do you refer to a scenario where the result set and the actual DB values are out of sync?

@ Sachin :



This is a bad practice. Be as specific as you can about the exception that your code might throw, in this case an SQLException. Otherwise, when you are dealing with an entire application which has hundreds of source files, isolation of the issue becomes tedious.
 
J. Kevin Robbins
Bartender
Pie
Posts: 1793
20
Chrome Firefox Browser jQuery Linux MySQL Database Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
sachin pate wrote:


This will burn you every time. Always put your servlet in a package and use the full class name in the <servlet-class> entry.

Without a package defined you are telling the servlet container to look in the current directory and you have no idea what that is, nor can you control it.
 
Jelle Klap
Bartender
Posts: 1952
7
Eclipse IDE Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Mansukhdeep Thind wrote:
Ulf Dittmer wrote:Your code is wide open to SQL injection attacks. You need to sanitize form parameters, and should use PreparedStatement instead of Statement.

If I may intrude here Ulf, what exactly do you mean by SQL Injection attacks? Do you refer to a scenario where the result set and the actual DB values are out of sync?


No, SQL injection is a security vulnerability, which in this case can be exploited, because the query String is concatenated with unsanitized user input directly and executed using Statement.
To prevent this you should make proper use of PreparedStatement, and add user input as query parameters.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic