• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

getting parameter from database but i am getting blank webpage

 
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
First.jsp


Search.java


web.xml
 
Ranch Hand
Posts: 63
Spring Tomcat Server Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
what parameter are you talking about?
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Your code is wide open to SQL injection attacks. You need to sanitize form parameters, and should use PreparedStatement instead of Statement.

In line 36-39 of the servlet, you need to surround the data you're getting from the DB by quotes, otherwise there's an almost certainty that the HTML will end up broken and non-functional.

What happens if you execute the same SQL statement that the servlet sends directly against the DB?

By the way, it's good practice to call trim() on any string you receive through an HTML form - people often type extraneous spaces without realizing it.
 
Ranch Hand
Posts: 1164
Eclipse IDE Firefox Browser Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ulf Dittmer wrote:Your code is wide open to SQL injection attacks. You need to sanitize form parameters, and should use PreparedStatement instead of Statement.



If I may intrude here Ulf, what exactly do you mean by SQL Injection attacks? Do you refer to a scenario where the result set and the actual DB values are out of sync?

@ Sachin :



This is a bad practice. Be as specific as you can about the exception that your code might throw, in this case an SQLException. Otherwise, when you are dealing with an entire application which has hundreds of source files, isolation of the issue becomes tedious.
 
Bartender
Posts: 1810
28
jQuery Netbeans IDE Eclipse IDE Firefox Browser MySQL Database Chrome Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

sachin pate wrote:



This will burn you every time. Always put your servlet in a package and use the full class name in the <servlet-class> entry.

Without a package defined you are telling the servlet container to look in the current directory and you have no idea what that is, nor can you control it.
 
Bartender
Posts: 1952
7
Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Mansukhdeep Thind wrote:

Ulf Dittmer wrote:Your code is wide open to SQL injection attacks. You need to sanitize form parameters, and should use PreparedStatement instead of Statement.


If I may intrude here Ulf, what exactly do you mean by SQL Injection attacks? Do you refer to a scenario where the result set and the actual DB values are out of sync?



No, SQL injection is a security vulnerability, which in this case can be exploited, because the query String is concatenated with unsanitized user input directly and executed using Statement.
To prevent this you should make proper use of PreparedStatement, and add user input as query parameters.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic