You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by John Elia <je...@711.net> on 2000/12/21 14:50:59 UTC
my jsp updates with null values.
This code is inserting NULL values into a mysql database. It is taking the
values from an HTML form, and should just insert the values.
Please Help.
<%@page import="java.sql.*,javax.servlet.http.HttpServletRequest" %>
<%!
//Declare your variables;
String DRIVER = "org.gjt.mm.mysql.Driver";
String CONNECT = "jdbc:mysql://127.0.0.1/userinfo";
String QUERY = "insert into info
values('"+idnum+"','"+fname+"','"+lname+"','"+addr1+"','"+addr2+"','"+city+"
','"+state+"','"+zip+"','"+phone1+"')";
%>
<%
//some debug code to see what the values of these fields are... (not
working)
out.println(idnum);
out.println(fname);
out.println(lname);
out.println(addr1);
out.println(addr2);
out.println(city);
out.println(state);
out.println(phone1);
%>
<% //get information from another page, and, if there is no information, set
the values to NULL
String idnum = request.getParameter("idnum");
String fname = request.getParameter("fname");
String lname = request.getParameter("lname");
String addr1 = request.getParameter("addr1");
String addr2 = request.getParameter("addr2");
String city = request.getParameter("city");
String state = request.getParameter("state");
String zip = request.getParameter("zip");
String phone1 = request.getParameter("phone1");
%>
<% //Let's figure it out shall we?
Class.forName(DRIVER);
Connection con = DriverManager.getConnection(CONNECT);
Statement stm = con.createStatement();
ResultSet rs = stm.executeQuery(QUERY);
%>
<h4><br><b>WebDesk Development</b> USERINFO Database Accessed, INFO Table
Results returned.</h4><br>
<a href="JEInsert.jsp">Back to the Form</a>
<BR><BR><BR>
RE: my jsp updates with null values: SECURITY ???
Posted by Dave Newton <da...@solaraccess.com>.
> Have you ever wondered what will happen if someone entered
> a request with idnum something like
> '0,...,);DROP info CASCADE;
Whoops, missed your single quote. Sorry, you're right.
Dave
RE: my jsp updates with null values: SECURITY ???
Posted by ro...@zzict.nl.
On Thu, 21 Dec 2000, Dave Newton wrote:
> I remember you~it looks better with the variables not in the quotes.
>
> > <%@page import="java.sql.*,javax.servlet.http.HttpServletRequest" %>
> > <%!
> > //Declare your variables;
> > String DRIVER = "org.gjt.mm.mysql.Driver";
> > String CONNECT = "jdbc:mysql://127.0.0.1/userinfo";
> > String QUERY = "insert into info
> > values('"+idnum+"','"+fname+"','"+lname+"','"+addr1+"','"+addr2+"'
> > ,'"+city+"
> > ','"+state+"','"+zip+"','"+phone1+"')";
> > %>
> > <%
> > //some debug code to see what the values of these fields are... (not
> > working)
> > out.println(idnum);
> > out.println(fname);
> > out.println(lname);
> > out.println(addr1);
> > out.println(addr2);
> > out.println(city);
> > out.println(state);
> > out.println(phone1);
> > %>
> >
> > <% //get information from another page, and, if there is no
> > information, set
> > the values to NULL
> >
> > String idnum = request.getParameter("idnum");
> > String fname = request.getParameter("fname");
> > String lname = request.getParameter("lname");
> > String addr1 = request.getParameter("addr1");
> > String addr2 = request.getParameter("addr2");
> > String city = request.getParameter("city");
> > String state = request.getParameter("state");
> > String zip = request.getParameter("zip");
> > String phone1 = request.getParameter("phone1");
> >
> > %>
>
> Is there any particular reason you set the values of the variables
> after you try to use them?
>
> I think you'd be better off asking these questions in a java group,
> as this is a pretty straightforward error.
>
> Dave
>
Have you ever wondered what will happen if someone entered
a request with idnum something like
'0,...,);DROP info CASCADE;
right.
This brings us to the tip of the day:
USE PREPARED STATEMENTS OR FEAR THE WRATH OF THE WEB-HACKER.
have fun,
Sloot.
RE: my jsp updates with null values.
Posted by Dave Newton <da...@solaraccess.com>.
I remember you~it looks better with the variables not in the quotes.
> <%@page import="java.sql.*,javax.servlet.http.HttpServletRequest" %>
> <%!
> //Declare your variables;
> String DRIVER = "org.gjt.mm.mysql.Driver";
> String CONNECT = "jdbc:mysql://127.0.0.1/userinfo";
> String QUERY = "insert into info
> values('"+idnum+"','"+fname+"','"+lname+"','"+addr1+"','"+addr2+"'
> ,'"+city+"
> ','"+state+"','"+zip+"','"+phone1+"')";
> %>
> <%
> //some debug code to see what the values of these fields are... (not
> working)
> out.println(idnum);
> out.println(fname);
> out.println(lname);
> out.println(addr1);
> out.println(addr2);
> out.println(city);
> out.println(state);
> out.println(phone1);
> %>
>
> <% //get information from another page, and, if there is no
> information, set
> the values to NULL
>
> String idnum = request.getParameter("idnum");
> String fname = request.getParameter("fname");
> String lname = request.getParameter("lname");
> String addr1 = request.getParameter("addr1");
> String addr2 = request.getParameter("addr2");
> String city = request.getParameter("city");
> String state = request.getParameter("state");
> String zip = request.getParameter("zip");
> String phone1 = request.getParameter("phone1");
>
> %>
Is there any particular reason you set the values of the variables
after you try to use them?
I think you'd be better off asking these questions in a java group,
as this is a pretty straightforward error.
Dave