Thread: How does postgres handle non literal string values
Hi All,
I have some jsp code that should insert a user name and password into
a table called login.
Instead of inserting the values given by the client, it insert the
literal string 'username' and 'password. The problem is somewhere in
the INSERT statement.
Here is the code:
<%@page contentType="text/html"%>
<%@page import="java.io.*" %>
<%@page import="java.sql.*" %>
<%@page import="java.util.*" %>
<html>
<head><title>JSP login</title></head>
<body>
<%-- <jsp:useBean id="beanInstanceName" scope="session"
class="package.class" /> --%>
<%-- <jsp:getProperty name="beanInstanceName" property="propertyName"
/> --%>
<%
String username = request.getParameter("username");
String password = request.getParameter("password");
String confirmpw = request.getParameter("password2");
String dbName = "storedb";
Connection conn = null;
Statement stmt = null;
String usr = "postgres";
String passwd = "Wimdk12";
if (username != null)
username = username.trim();
if (password != null)
password = password.trim();
if(confirmpw != null)
confirmpw = confirmpw.trim();
if (username != null &&
username.length() > 0) {
if (password != null &&
password.length() > 0) {
if (confirmpw != null &&
confirmpw.length() > 0) {
if (password.equals(confirmpw)) {
%>
<h1> Loading the driver </h1>
<%
String url = "jdbc:postgresql:" + dbName;
// Load the driver
Class.forName("org.postgresql.Driver");
// Connect to database
conn = DriverManager.getConnection(url, usr,
passwd);
stmt = conn.createStatement();
%>
<h1> Connecting to the data base </h1>
<%
String insertString =
"INSERT INTO \"login\" ('user', 'password')
VALUES ('username', 'password')";
%>
<h1> Updating table </h1>
<%
stmt.executeUpdate(insertString);
%>
<h1> Checking result </h1>
<%
ResultSet rset = stmt.executeQuery("SELECT *
FROM login");
while (rset.next()) {
System.out.println(
rset.getString("user") + ":" +
rset.getString("password"));
}
%>
<h1> Closing connection <h1>
<%
rset.close();
stmt.close();
conn.close();
%>
<h1>Congratulations <%= username %>! your account has been created
</h1>
<%
} else { %>
<h1>Sorry! Account not created. passwords do
not match </h1>
<%
}
} else { %> <h1>Sorry! Account not
created. passwords do not match </h1>
<%
}
} else { %>
<h1>Sorry! Account not created. Please enter a
confirmation password </h1>
<%
}
} else { %>
<h1>Sorry! Account not created. Please enter a
password </h1>
<%
}
} else { %>
<h1>Sorry! Account not created. Please enter a
username </h1>
<%
} %>
</body>
</html>
Any help on this is greatly appreciated.
monroy@mindspring.com (javaholic) writes:
> String insertString =
> "INSERT INTO \"login\" ('user', 'password')
> VALUES ('username', 'password')";
First, your SQL syntax is wrong (field names in an INSERT shouldn't be
quoted), and second, Java isn't Perl--it won't magically interpolate
variable values into a string. Try:
String insertString =
"INSERT INTO \"login\" (user, password) VALUES ('" + username
+ "', '" + password + "')";
This will work but has a gaping security hole. Even better, use a
PreparedStatement instead--it's much cleaner and is immune to SQL
injection attacks.
-Doug