You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by John Elia <je...@711.net> on 2000/12/21 14:50:59 UTC

my jsp updates with null values.

This code is inserting NULL values into a mysql database.  It is taking the
values from an HTML form, and should just insert the values.

Please Help.

<%@page import="java.sql.*,javax.servlet.http.HttpServletRequest" %>
<%!
//Declare your variables;
String DRIVER  = "org.gjt.mm.mysql.Driver";
String CONNECT = "jdbc:mysql://127.0.0.1/userinfo";
String QUERY   = "insert into info
values('"+idnum+"','"+fname+"','"+lname+"','"+addr1+"','"+addr2+"','"+city+"
','"+state+"','"+zip+"','"+phone1+"')";
%>
<%
//some debug code to see what the values of these fields are... (not
working)
out.println(idnum);
out.println(fname);
out.println(lname);
out.println(addr1);
out.println(addr2);
out.println(city);
out.println(state);
out.println(phone1);
%>

<% //get information from another page, and, if there is no information, set
the values to NULL

 String idnum = request.getParameter("idnum");
 String fname = request.getParameter("fname");
 String lname = request.getParameter("lname");
 String addr1 = request.getParameter("addr1");
 String addr2 = request.getParameter("addr2");
 String city = request.getParameter("city");
 String state = request.getParameter("state");
 String zip = request.getParameter("zip");
 String phone1 = request.getParameter("phone1");

%>


<% //Let's figure it out shall we?
Class.forName(DRIVER);
Connection con = DriverManager.getConnection(CONNECT);
Statement stm = con.createStatement();
ResultSet rs = stm.executeQuery(QUERY);
%>

<h4><br><b>WebDesk Development</b> USERINFO Database Accessed, INFO Table
Results returned.</h4><br>
<a href="JEInsert.jsp">Back to the Form</a>
<BR><BR><BR>

RE: my jsp updates with null values: SECURITY ???

Posted by Dave Newton <da...@solaraccess.com>.

> Have you ever wondered what will happen if someone entered
> a request with idnum something like
> '0,...,);DROP info CASCADE;

Whoops, missed your single quote. Sorry, you're right.

Dave

RE: my jsp updates with null values: SECURITY ???

Posted by ro...@zzict.nl.


On Thu, 21 Dec 2000, Dave Newton wrote:

> I remember you~it looks better with the variables not in the quotes.
> 
> > <%@page import="java.sql.*,javax.servlet.http.HttpServletRequest" %>
> > <%!
> > //Declare your variables;
> > String DRIVER  = "org.gjt.mm.mysql.Driver";
> > String CONNECT = "jdbc:mysql://127.0.0.1/userinfo";
> > String QUERY   = "insert into info
> > values('"+idnum+"','"+fname+"','"+lname+"','"+addr1+"','"+addr2+"'
> > ,'"+city+"
> > ','"+state+"','"+zip+"','"+phone1+"')";
> > %>
> > <%
> > //some debug code to see what the values of these fields are... (not
> > working)
> > out.println(idnum);
> > out.println(fname);
> > out.println(lname);
> > out.println(addr1);
> > out.println(addr2);
> > out.println(city);
> > out.println(state);
> > out.println(phone1);
> > %>
> > 
> > <% //get information from another page, and, if there is no 
> > information, set
> > the values to NULL
> > 
> >  String idnum = request.getParameter("idnum");
> >  String fname = request.getParameter("fname");
> >  String lname = request.getParameter("lname");
> >  String addr1 = request.getParameter("addr1");
> >  String addr2 = request.getParameter("addr2");
> >  String city = request.getParameter("city");
> >  String state = request.getParameter("state");
> >  String zip = request.getParameter("zip");
> >  String phone1 = request.getParameter("phone1");
> > 
> > %>
> 
> Is there any particular reason you set the values of the variables
> after you try to use them?
> 
> I think you'd be better off asking these questions in a java group,
> as this is a pretty straightforward error.
> 
> Dave
> 
Have you ever wondered what will happen if someone entered
a request with idnum something like
'0,...,);DROP info CASCADE;

right.

This brings us to the tip of the day:

USE PREPARED STATEMENTS OR FEAR THE WRATH OF THE WEB-HACKER.

have fun,
Sloot.

RE: my jsp updates with null values.

Posted by Dave Newton <da...@solaraccess.com>.

I remember you~it looks better with the variables not in the quotes.

> <%@page import="java.sql.*,javax.servlet.http.HttpServletRequest" %>
> <%!
> //Declare your variables;
> String DRIVER  = "org.gjt.mm.mysql.Driver";
> String CONNECT = "jdbc:mysql://127.0.0.1/userinfo";
> String QUERY   = "insert into info
> values('"+idnum+"','"+fname+"','"+lname+"','"+addr1+"','"+addr2+"'
> ,'"+city+"
> ','"+state+"','"+zip+"','"+phone1+"')";
> %>
> <%
> //some debug code to see what the values of these fields are... (not
> working)
> out.println(idnum);
> out.println(fname);
> out.println(lname);
> out.println(addr1);
> out.println(addr2);
> out.println(city);
> out.println(state);
> out.println(phone1);
> %>
> 
> <% //get information from another page, and, if there is no 
> information, set
> the values to NULL
> 
>  String idnum = request.getParameter("idnum");
>  String fname = request.getParameter("fname");
>  String lname = request.getParameter("lname");
>  String addr1 = request.getParameter("addr1");
>  String addr2 = request.getParameter("addr2");
>  String city = request.getParameter("city");
>  String state = request.getParameter("state");
>  String zip = request.getParameter("zip");
>  String phone1 = request.getParameter("phone1");
> 
> %>

Is there any particular reason you set the values of the variables
after you try to use them?

I think you'd be better off asking these questions in a java group,
as this is a pretty straightforward error.

Dave