You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by ro...@zzict.nl on 2000/12/21 18:02:36 UTC
RE: my jsp updates with null values: SECURITY ???
On Thu, 21 Dec 2000, Dave Newton wrote:
> I remember you~it looks better with the variables not in the quotes.
>
> > <%@page import="java.sql.*,javax.servlet.http.HttpServletRequest" %>
> > <%!
> > //Declare your variables;
> > String DRIVER = "org.gjt.mm.mysql.Driver";
> > String CONNECT = "jdbc:mysql://127.0.0.1/userinfo";
> > String QUERY = "insert into info
> > values('"+idnum+"','"+fname+"','"+lname+"','"+addr1+"','"+addr2+"'
> > ,'"+city+"
> > ','"+state+"','"+zip+"','"+phone1+"')";
> > %>
> > <%
> > //some debug code to see what the values of these fields are... (not
> > working)
> > out.println(idnum);
> > out.println(fname);
> > out.println(lname);
> > out.println(addr1);
> > out.println(addr2);
> > out.println(city);
> > out.println(state);
> > out.println(phone1);
> > %>
> >
> > <% //get information from another page, and, if there is no
> > information, set
> > the values to NULL
> >
> > String idnum = request.getParameter("idnum");
> > String fname = request.getParameter("fname");
> > String lname = request.getParameter("lname");
> > String addr1 = request.getParameter("addr1");
> > String addr2 = request.getParameter("addr2");
> > String city = request.getParameter("city");
> > String state = request.getParameter("state");
> > String zip = request.getParameter("zip");
> > String phone1 = request.getParameter("phone1");
> >
> > %>
>
> Is there any particular reason you set the values of the variables
> after you try to use them?
>
> I think you'd be better off asking these questions in a java group,
> as this is a pretty straightforward error.
>
> Dave
>
Have you ever wondered what will happen if someone entered
a request with idnum something like
'0,...,);DROP info CASCADE;
right.
This brings us to the tip of the day:
USE PREPARED STATEMENTS OR FEAR THE WRATH OF THE WEB-HACKER.
have fun,
Sloot.
RE: my jsp updates with null values: SECURITY ???
Posted by Dave Newton <da...@solaraccess.com>.
> Have you ever wondered what will happen if someone entered
> a request with idnum something like
> '0,...,);DROP info CASCADE;
Whoops, missed your single quote. Sorry, you're right.
Dave