0

I´m trying to insert a record to table, which i choose in html form...Can I use something like this in jsp?

String queryString = "INSERT INTO ? (login,password,full_name,ulevel) VALUES (?, ?, ?, ?)";
steven967
  • 123
  • 2
  • 4
  • 16
  • IIRC positional values are for values. If that's correct, can't you just check the table name and use string concatenation if it's okay? – Dave Newton Nov 14 '12 at 21:48
  • So what is your suggestion? :) Sorry, i dont understand you.. – steven967 Nov 14 '12 at 22:00
  • Use concatenate to merge all the strings. – Franz Noel Nov 14 '12 at 22:32
  • Possible duplicate http://stackoverflow.com/questions/11312155/how-to-use-a-tablename-variable-for-a-java-prepared-statement-insert – Hardik Mishra Nov 15 '12 at 05:31
  • 1
    Having problems with Java code which is incorrectly written in a JSP file instead of a Java class doesn't make it a JSP problem. In other words, JSP is completely irrelevant in the question. You'd have exactly the same problem when doing so in a plain Java application class with a `main()` method. Rather ask the question in Java/JDBC context. – BalusC Nov 15 '12 at 19:07

2 Answers2

0

Main Answer If you want to use JDBC, which I agree may be what it is, you may try this: 

<% String myquery = "SELECT * FROM EMPLOYEES WHERE DEPARTMENT = ?"; %>
<% PreparedStatement mystatement = connection.prepareStatement(myquery); %>
<% mystatement.setString(1, request.getParameter("myURLparam")); %>
<% ResultSet results= mystatement.execute(); %>

You can refer to this link on how to use it. Java Oracle got better examples: http://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html

Previous Answer: Use String format

Java example:

String fs;
fs = String.format("The value of the float " +
               "variable is %f, while " +
               "the value of the " + 
               "integer variable is %d, " +
               " and the string is %s",
               floatVar, intVar, stringVar);

http://docs.oracle.com/javase/tutorial/java/data/strings.html - Check bottom section.

Apply it for JSP.

<html>
    <head>
      <title>Concatenate String in JSP</title>
    </head>
    <body bgcolor="#fff">
        <% String tableName = "Table"; %>
        <% String login = "login"; %>
        <% String password = "myPassword"; %>
        <% String fullName = "Full Name"; %>
        <% String ulevel = "Level 1"; %>
        <% String msg = "INSERT INTO " + tableName + " (login,password,full_name,ulevel) VALUES ("+ login + ", "+password+","+fullName+", "+ulevel+")"; %>
        <% out.println(msg); %>
    </body>
</html>
Franz Noel
  • 1,820
  • 2
  • 23
  • 50
  • I used this: "INSERT INTO " + tableNameVariable + "............." and it shows me error... – steven967 Nov 15 '12 at 18:18
  • In this example, you can be able to transport `msg` variable anywhere on this page. Although I gave an answer, what do you need the query for in jsp? Shouldn't the queries be programmed inside the servlets? – Franz Noel Nov 15 '12 at 19:07
  • 1
    OP was attempting to use a prepared statement query for at least the column values, yet you're suggesting to fall back to string-concatenating (unquoted!) variables which only increases SQL injection risks? Why? – BalusC Nov 15 '12 at 19:09
0

I have:

<%
String login = request.getParameter("login");
String password = request.getParameter("password");
String full_name = request.getParameter("full_name");
String ulevel = request.getParameter("ulevel");
String team_id = request.getParameter("team_id");
String fs = String.format("insert into " + "%s " + "(login,password,full_name,ulevel) values " + "(%s,%s,%s,%s)", team_id, login, password, full_name, ulevel);

Connection connection = null;
PreparedStatement pstatement = null;
Class.forName("com.mysql.jdbc.Driver").newInstance();
int updateQuery = 0;
if (login != null && password != null && full_name != null && ulevel != null && team_id != null) {
    if (login != "" && password != "" && full_name != "" && ulevel != "" && team_id != "") {

        try {
            connection = DriverManager.getConnection("jdbc:mysql://localhost:3306/coding", "root", "root");
            pstatement = connection.prepareStatement(fs);
            pstatement.setString(1, login);
            pstatement.setString(2, password);
            pstatement.setString(3, full_name);
            pstatement.setString(4, ulevel);
            updateQuery = pstatement.executeUpdate();
            if (updateQuery != 0) {

                response.sendRedirect("index.jsp");



            }
        } catch (Exception ex) {
            out.println("Unable to connect to database.");
            } finally {
            pstatement.close();
            connection.close();
        }
    }
}

%>

The parameters login,password,full_name,ulevel,team_id are from html form from other source code..

But this doesnt works :/

steven967
  • 123
  • 2
  • 4
  • 16
  • The problem is with the `Connection` and it is not with the String. If you are going to use `out.print(fs)`, it works. Let me try to solve it, just a minute... – Franz Noel Nov 16 '12 at 18:43
  • You might need to have `<%@ page import="java.sql.*" %>` in the first line of your code. After that, make sure that you have JDBC Driver installed as a library. Can you post the error that you have after? – Franz Noel Nov 16 '12 at 18:52