File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes getting parameter from database but i am getting blank webpage Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "getting parameter from database but i am getting blank webpage" Watch "getting parameter from database but i am getting blank webpage" New topic
Author

getting parameter from database but i am getting blank webpage

sachin pate
Greenhorn

Joined: May 03, 2013
Posts: 19
First.jsp


Search.java


web.xml
Niraj Jha
Ranch Hand

Joined: Feb 20, 2013
Posts: 63

what parameter are you talking about?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42946
    
  70
Your code is wide open to SQL injection attacks. You need to sanitize form parameters, and should use PreparedStatement instead of Statement.

In line 36-39 of the servlet, you need to surround the data you're getting from the DB by quotes, otherwise there's an almost certainty that the HTML will end up broken and non-functional.

What happens if you execute the same SQL statement that the servlet sends directly against the DB?

By the way, it's good practice to call trim() on any str´╗┐ing you receive through an HTML form - people often type extraneous spaces without realizing it.
Mansukhdeep Thind
Ranch Hand

Joined: Jul 27, 2010
Posts: 1157

Ulf Dittmer wrote:Your code is wide open to SQL injection attacks. You need to sanitize form parameters, and should use PreparedStatement instead of Statement.


If I may intrude here Ulf, what exactly do you mean by SQL Injection attacks? Do you refer to a scenario where the result set and the actual DB values are out of sync?

@ Sachin :



This is a bad practice. Be as specific as you can about the exception that your code might throw, in this case an SQLException. Otherwise, when you are dealing with an entire application which has hundreds of source files, isolation of the issue becomes tedious.


~ Mansukh
J. Kevin Robbins
Bartender

Joined: Dec 16, 2010
Posts: 1070
    
  13

sachin pate wrote:


This will burn you every time. Always put your servlet in a package and use the full class name in the <servlet-class> entry.

Without a package defined you are telling the servlet container to look in the current directory and you have no idea what that is, nor can you control it.


"The good news about computers is that they do what you tell them to do. The bad news is that they do what you tell them to do." -- Ted Nelson
Jelle Klap
Bartender

Joined: Mar 10, 2008
Posts: 1836
    
    7

Mansukhdeep Thind wrote:
Ulf Dittmer wrote:Your code is wide open to SQL injection attacks. You need to sanitize form parameters, and should use PreparedStatement instead of Statement.

If I may intrude here Ulf, what exactly do you mean by SQL Injection attacks? Do you refer to a scenario where the result set and the actual DB values are out of sync?


No, SQL injection is a security vulnerability, which in this case can be exploited, because the query String is concatenated with unsanitized user input directly and executed using Statement.
To prevent this you should make proper use of PreparedStatement, and add user input as query parameters.

Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: getting parameter from database but i am getting blank webpage