Other Statergies to implemment

Question

I have been using JSTL to fetch values from my database and display it in my jsp page using a similar code as shown below.

<sql:setDataSource
var="myDS"
driver="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost:3306/mydb"
user="root" password="secret"
/>

<sql:query var="list_users" dataSource="${myDS}">
SELECT * FROM users;
</sql:query>

<c:forEach var="user" items="${listUsers.rows}">

<c:out value="${user.name}" />

<c:out value="${user.email}" />

<c:out value="${user.profession}" />

</c:forEach>

My team leader advised me that it is not a good practice to put queries in the jsp page directly. Since there is a database name and username and password in this code I'm not sure if this code implements proper security. I would like to know your thoughts on the matter, and if there is any alternative to do this using JSTL itself.

Answer 1

Since JSTL is executed on server side, there's no security hole because the query cannot be seen by clients of the application. There are other problems with this approach:

• The query is not reusable. If you need it in other pages, you will need to repeat the query. When you have simple queries like this one you cannot check the problem, but this arises with more complex statements that needs parameters as well.
• You're creating a connection manually per page! This will slow your application. Use a proper datasource for a database connection pool configured as a resource or programatically (C3PO or BoneCP, for example)

Move all your database code into proper Data Access Layer classes. And use <sql> for JSTL for learning purposes only, not for real world applications.

More info:

• How to use JSTL sql tag
• Retrieve values from JDBC and use JSTL tags to call the methods
• Should a database connection stay open all the time or only be opened when needed?

Answer 2

You should really do your query in your java class, not in the jsp, like your team leader advised.

On the security side it doesn't really matter, all the code is available on the server, jsp or java. The sql tag shouldn't output that information in the generated page.

But really the question is more about the right use of the technologies:

jsp is used as a template, it should take data and show them to the end user. Some basic operation can be done life looping on data list or formating data, but this should be only specific to the view you want to make

java controler is used to recuperate data and configure the view as needed like which jsp to use and which data to send in that jsp