• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Junilu Lacar
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Knute Snortum
  • Devaka Cooray
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Ron McLeod
  • Carey Brown
Bartenders:
  • Paweł Baczyński
  • Piet Souris
  • Vijitha Kumara

Update one column from table and insert new rows

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have some problems to modify data from a table. I need to update an entire column from a specific table and if there's no sufficient rows I need to insert more.
More exactly, the user will be able to modify data from interface, in a text area that contains current data from db. I put all the text in a list, each line representing an element of the list.
In a certain column, I must go through each row and modify it with a list item. If there are more lines in the text area than number of rows in that table, I need to insert new ones, which will contain the remaining items from the list.
I would be grateful if someone could give me some help. Thanks!


 
Ranch Hand
Posts: 51
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Iar ral,

Could you explain in more detail what exactly is the problem with your code instead of only posting the method.

Cheers,
Michael
 
Marshal
Posts: 66193
250
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to the Ranch

What happens when you try that update from the database's console application withou using Java®?
 
Saloon Keeper
Posts: 21254
137
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This code is vulnerable to a SQL INJECTION ATTACK. Even though the data values are coming from a PreparedStatement, you're getting the table names (apparently) straight from the web client. And why all the "toString()'s"? HTML is text-only to begin with.

It's quite easy for me to hijack the submitted form data so that instead of tablClient having a value of, say "TABLE1", I give it a value of "TABLE1; DROP DATABASE PAYROLL; //", just as an example. Little Bobby Tables strikes again!

So you need to validate your incoming HTML very carefully.

Also, I personally prefer when synthesizing complex SQL to use a string builder or formatter to build up the actual SQL command. It's usually easier to read than just mashing together substring expressions.
 
Sheriff
Posts: 6364
172
Eclipse IDE Postgres Database VI Editor Chrome Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This looks fishy.  col, selectNorme.getValue().toString(), and this.selectNorme.getValue().toString() seem to be all the same thing.
 
lar julia
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Michael Krimgen wrote:Hi Iar ral,

Could you explain in more detail what exactly is the problem with your code instead of only posting the method.

Cheers,
Michael



Hi Michael!!!

okay... after updating i get the same value everywhere.. the first value.. and if i add more rows, these are inserted just from second try and not just the last ones, but all ellements of the list..

Cheers to you too!
 
lar julia
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Campbell Ritchie wrote:Welcome to the Ranch

What happens when you try that update from the database's console application withou using Java®?



Than you, Campbell Ritchie!

i have no ideea.. have not tried and the problem is that everything, tables with clients and columns with their products, are selected from the interface
 
lar julia
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Tim Holloway wrote:This code is vulnerable to a SQL INJECTION ATTACK. Even though the data values are coming from a PreparedStatement, you're getting the table names (apparently) straight from the web client. And why all the "toString()'s"? HTML is text-only to begin with.

It's quite easy for me to hijack the submitted form data so that instead of tablClient having a value of, say "TABLE1", I give it a value of "TABLE1; DROP DATABASE PAYROLL; //", just as an example. Little Bobby Tables strikes again!

So you need to validate your incoming HTML very carefully.

Also, I personally prefer when synthesizing complex SQL to use a string builder or formatter to build up the actual SQL command. It's usually easier to read than just mashing together substring expressions.




Yes.. I know that... but i work with javafx and the user will select the clients and products from GUI..their selections are limited because they are chosen from a combobox..

And about  synthesizing complex SQL , you're right.. I use sometimes but not everytime apparently.. I'll try to change that .. thanks
 
Tim Holloway
Saloon Keeper
Posts: 21254
137
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

lar julia wrote:Yes.. I know that... but i work with javafx and the user will select the clients and products from GUI..their selections are limited because they are chosen from a combobox..



Actually a combobox is NOT safe. I presume what you mean is a "dropdown list". A combobox is a combination of a dropdown list AND a free text field control (hence the name "combo").

But even a dropdown list is only safe if no interloper can get to (or create) the request datastream. Make that app web-based and it can very definitely be compromised at the source even if the actual request is encrypted.
 
Hot dog! An advertiser loves us THIS much:
Java file APIs (DOC, XLS, PDF, and many more)
https://products.aspose.com/total/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!