JDBC SQL servlet

Question

oggiemc 7 Junior Poster in Training

14 Years Ago

Hi Everybody,

Im having a bit of a problem with an assignment..Im trying to write a JDBC servlet which checks the value of a name in the database against the value inputed in a form..USER and PASS are the values inputted to the by user into the form.. The code is below..But im getting a syntax error on the the italics lines below which says: Syntax error on tokens, (expected instead))
I dont know what is wrong with my syntax here..Can someone help me out please?

try {
                
  stmt = con.createStatement();
  rs = stmt.executeQuery(SELECT * FROM FMC_EMPLOYMENT WHERE SURNAME='" +
  req.getParameter("USER"))+ "' and PASSWORD = '" + req.getParameter("PASS")"');

  while (rs.next())
         out.println("<BR>Name=" + rs.getString("SURNAME") + " " + rs.getString("PASSWORD"));
  }

java-jsp

2 Contributors
4 Replies
80 Views
1 Day Discussion Span
Latest Post 14 Years Ago Latest Post by oggiemc

masijade 1,351 Industrious Poster

14 Years Ago

Regardless of the amount of input parameters use PreparedStatement. What if getParameter on USER return ';delete * from FMC_EMPLOYMENT;-- ? Or, more innocently, either one contains a simple "single quote" (')? PreparedStatement will prevent this sort of thing. It is not perfect in preventing SQL injection attacks, but it definately helps.

As far as the errors, then "req" is not defined in this scope.
And you forgot a quote (") at the end of the statement, before the closing paren. (And you forgot a plus (+) between the get parameter and that closing string.)

You need to look at your code more carefully.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

masijade 1,351 Industrious Poster Team Colleague Featured Poster · Answer 1 · 2010-04-03T21:09:02+00:00

Uhm, forget a quote (") before SELECT?

P.S. Use PreparedStatement.

oggiemc 7 Junior Poster in Training · Answer 2 · 2010-04-03T21:47:01+00:00

Uhm, forget a quote (") before SELECT?
P.S. Use PreparedStatement.

Thanks for reply masijade,

Put in the double quotes but now im getting an error saying:
req (from req.getParameter) cannot be resolved.. And also an error saying:
Syntax error on token ""\'"", delete this ..This error is coming from the quotes at the end of the last line of code i.e the quotes after ("PASS"); ..Theres no backslash here so what is the debugger saying??

P.S Is it necessary to use prepared stmt when im only requesting 2 parameters??

Many thanks
oggie

out.println("Connection Successful..... creating statement....");
      	     		stmt = con.createStatement();
	     		    rs = stmt.executeQuery("SELECT * FROM FMC_EMPLOYMENT WHERE FIRSTNAME='" + 
	     		    req.getParameter("USER") + "' and PASSWORD = '" + req.getParameter("PASS")"'");

oggiemc 7 Junior Poster in Training · Answer 3 · 2010-04-04T19:14:44+00:00

Thanks masijade for that..New to programming so its not very good at all..Thanks for tips..Got it working now :)