1

i'm developping a web service that extract from database all messages, as a json response this is my ws that take the user's password & login, search their ID and extract the user's messages from the data base:

@GET
@Path("/historiquemethod")
@Produces("application/json")
public msgTabl historique(
        @QueryParam("pseudo") String pseudo,
        @QueryParam("motDePasse") String motDePasse
) {

    msgTabl tab = new msgTabl();
    MsgBean ms = new MsgBean();

    int i = 0;
    int id = 0;

    // extraire l'id de la personne selon le pseudo & le mot de passe
    try {
        ResultSet rs1 = conn.createStatement().executeQuery("select id_u from utilisateur where pseudo='" + pseudo + "'and motdepasse='" + motDePasse + "' ");
        if (rs1.next()) {
            id = rs1.getInt(1);
        }
    } catch (SQLException ex) {

    }

    // extraire les messages et les mettre dans le tableau
    try {
        ResultSet rs2 = conn.createStatement().executeQuery("select * from message where idUser='" +id+ "'");
        while (rs2.next()) {
            tab.setTest("ok");

            String  from2 = rs2.getString("fromm");
            String  contenu2 = rs2.getString("contenu");
            String  dateenvoi2 = rs2.getString("DateEnvoi");
            String numexp2 = rs2.getString("NumExp");

            ms.setFrommm(from2);
            ms.setContenu(contenu2);
            ms.setDateEnvoi(dateenvoi2);
            ms.setNumExp(numexp2);

            tab.m[i] = ms;
            i = i + 1;
        }
    } catch (SQLException ex) {

        tab.setTest("Catch error");
    }


    return tab;
} 

Every message is a "msgbean" which contain some information ( from, to, content, id, idUser, Date...)

and the response of the WS is a "msgTabl" which is an object containgin a table of msgbean and a string,

the problem is that my ws is always returning only the last message !! that means that if the user has 3 messages, only the last message which is returned 3 times!!

{
  "msgTabl": {
    "m": [
      {
        "contenu": 3333333333,
        "dateEnvoi": 3333333333,
        "frommm": 333333333,
        "id": 3,
        "idu": 1,
        "numExp": 33333333333
      },
      {
        "contenu": 3333333333,
        "dateEnvoi": 3333333333,
        "frommm": 333333333,
        "id": 3,
        "idu": 1,
        "numExp": 33333333333
      },
      {
        "contenu": 3333333333,
        "dateEnvoi": 3333333333,
        "frommm": 333333333,
        "id": 3,
        "idu": 1,
        "numExp": 33333333333
      }
    ],
    "test": "ok"
  }
}

could you tell me please where is the error ??? is their any prb with my code?? Also, i would like to know why the msgTabl is present inside the json response?? i mean why i dont get

{
  "m": [
    {
      "contenu": 3333333333,
      "dateEnvoi": 3333333333,
      "frommm": 333333333,
      "id": 3,
      "idu": 1,
      "numExp": 33333333333
    },
    {
      "contenu": 3333333333,
      "dateEnvoi": 3333333333,
      "frommm": 333333333,
      "id": 3,
      "idu": 1,
      "numExp": 33333333333
    },
    {
      "contenu": 3333333333,
      "dateEnvoi": 3333333333,
      "frommm": 333333333,
      "id": 3,
      "idu": 1,
      "numExp": 33333333333
    }
  ],
  "test": "ok"
}

directly ?

NoKHe
  • 51
  • 1
  • 5
  • Please put that code IN the question, properly formatted as code. – fvu Aug 18 '14 at 14:05
  • done ! you can read it now – NoKHe Aug 18 '14 at 14:47
  • the sql injections, they burn! please please please fix the sql injections! http://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work – John Gardner Aug 18 '14 at 21:10
  • @JohnGardner i didn't understand what does that mean?? – NoKHe Aug 19 '14 at 08:37
  • you're building queries directly using string concatenation, which allows someone malicious to do very bad things. for example, what happens in your code, if i were to pass "' or 1=1" as the password? you should really be building queries using parameter markers, and **never** via string concatenation. see http://en.wikipedia.org/wiki/Sql_injection – John Gardner Aug 19 '14 at 23:12
  • **ESPECIALLY** since this appears to be a web service, where you can't trust any input coming in! Read through the "little bobby tables" linked question and comic, it will explain. – John Gardner Aug 19 '14 at 23:13

1 Answers1

0

The problem is that your code creates just one MsgBean ms object, and inserts that same over and over into the array. That's why you get three times the same data, you're in fact displaying the same object three times. You need to move the instantiation of that object to inside the loop, like this:

while (rs2.next()) {
    tab.setTest("ok");

    String  from2 = rs2.getString("fromm");
    String  contenu2 = rs2.getString("contenu");
    String  dateenvoi2 = rs2.getString("DateEnvoi");
    String numexp2 = rs2.getString("NumExp");
    // a fresh ms per iteration
    MsgBean ms = new MsgBean();
    ms.setFrommm(from2);
    ms.setContenu(contenu2);
    ms.setDateEnvoi(dateenvoi2);
    ms.setNumExp(numexp2);

    tab.m[i] = ms;
    i = i + 1;
}

Next, it looks like your class msgTabl (class names should start with a capital, better to rename it to MsgTabl) contains an array, it may be preferrable to replace that array with an ArrayList, especially when the length of the list is variable.


Regarding John Gardner's statement about SQL injections - stringing together a query string like you do is indeed extremely dangerous - see http://bobby-tables.com/ for a good, understandable explanation of why one day you will be hacked or vandalized if you don't address this problem. It's really quite simple to solve using PreparedStatement:

PreparedStatement statement = conn.prepareStatement("select id_u from utilisateur where pseudo= ? and motdepasse= ?");
statement.setString(1,pseudo);
statement.setString(2,motDePasse);
ResultSet rs1 = statement.executeQuery();
fvu
  • 32,488
  • 6
  • 61
  • 79
  • Thank you, now it returns right messages! Concerning my json response, i renamed the msgTabl class starting with a capital. and changed with a list now i have my class"MsgTabl" which containt {String test; AND List list = new ArrayList(); } But i still got the same Format of json (mentionned in the next comment ) this way, have u an idea how could i fix that ? how could i change my json, so that i obtain a simple json without that msgtabl at the beginning OR how could i extract data from this json response in the client part ?? – NoKHe Aug 19 '14 at 07:46
  • `{ "msgTabl": {"list": [ {"contenu":"aid mabroukk","dateEnvoi":"2014-07-30","frommm":"voeuxmsg","id":0,"idu":0,"numExp":50840749}, {"contenu": 222222222222,"dateEnvoi": 222222,"frommm":222222222222,"id":0,"idu":0,"numExp":2222222}, {"contenu":3333333333,"dateEnvoi":3333333333, "frommm":333333333,"id":0,"idu":0,"numExp":33333333333} ], "test":"ok" } }` – NoKHe Aug 19 '14 at 07:47
  • Just guessing, but did you add the `@XmlRootElement` annotation to your `msgTabl` class? Check out [the Jersey tutrial](https://jersey.java.net/documentation/1.18/json.html) for a more elaborate example. – fvu Aug 19 '14 at 09:07
  • i don't really know exactly what is the importance of putting that annotation but i just did like the tutorial i was following if i delete it, the web service could not acces to that class to get and set informations ! – NoKHe Aug 19 '14 at 09:10
  • As you can see in the tutorial I linked to you should have obtained the result you want. I have no idea what's going on there. Can you add the code to the `msgTabl` class, and tell us what stack you are using? – fvu Aug 19 '14 at 11:03
  • `@XmlRootElement public class MsgTabl implements Serializable { String test; List list = new ArrayList(); public MsgTabl(){ } @XmlElement public String getTest() { return test; } public void setTest(String test) { this.test = test; } @XmlElement public List getList() { return list; } public void setList(List list) { this.list = list; } } ` – NoKHe Aug 19 '14 at 12:44
  • I reconstructed your code as faithfully as possible and tested it on Glassfish 3.1 and 4.0. Both give the expected result. What appserver and library (Jersey, RESTeasy, ...) are you using? – fvu Aug 19 '14 at 14:25
  • i used jquery to extract data from this json response with it's actual format and i resolved my problem. Thank you all – NoKHe Aug 20 '14 at 09:08