0

Could you help me to solve this? I cant find what is happening. I'm doing a web application using Java Servlets and JSP.

It show's this in the URL when I try to add a product : http://localhost:8080/ProductMaintenanceMdy/add?action=add&code=8768&description=mylove&price=15.55&Add+product=Submit

Since it shows the data entered in the URL, that means the form in the addProduct.jsp is working, but it doesn’t save the product in the database.

Could you check if my servlet code , mapping code and query function to add are right? Don't be rude, I'm a beginner.

//Servlet code for add product

else  if (action.equals("addProducts"))  // this is for action inside display  
{
    url= "/addProducts.jsp";
}
else if (action.equals("add")) //this is for add inside sddProducts
{  
    String code= request.getParameter("code");
    String description= request.getParameter("description");
    Double price=Double.parseDouble(request.getParameter("price"));

    Product p= new Product();
    p.setCode(code);
    p.setDescription(description);
    p.setPrice(price);

    ProductDB.insertProduct(p); //implemented it inside productDB.java
    url="/addProducts.jsp";

}

// Web xml mapping section for add

<servlet-mapping>
        <servlet-name>ProdMaintAppServlet</servlet-name>
        <url-pattern>/add</url-pattern>
</servlet-mapping>

// method inside the ProductDB (class for the database queries functions)

public static void insertProduct(Product p) {

    ConnectionPool pool = ConnectionPool.getInstance();
    Connection connection = pool.getConnection();
    PreparedStatement ps = null;
    ResultSet rs = null;

    String query=" INSERT INTO productsMaintenance VALUES( '"+ p.getCode()+"','"+ p.getDescription()+"','"+ p.getPriceCurrencyFormat()+"' ) ";

    try {

        ps = connection.prepareStatement(query);
        rs = ps.executeQuery();

    }

    catch (SQLException e) {
        System.err.println(e);
    } finally {
        DBUtil.closeResultSet(rs);
        DBUtil.closePreparedStatement(ps);
        pool.freeConnection(connection);
    }
}
Anil Nivargi
  • 1,473
  • 3
  • 27
  • 34
mdyoy
  • 1
  • 1
  • 1
    This question is way too broad. Your first step is to figure out which lines of code are successfully executed and which not. Once you've nailed that down, then improve your question accordingly by removing working code so that the focus is on non-working code. – BalusC Apr 15 '20 at 14:14

1 Answers1

1

You can find out the root cause by using a debugger. Apart from it, given below are some best practices which may also help you get rid of the problem.

For SQL Data Manipulation Language (DML) statement, such as INSERT, UPDATE or DELETE, you should use executeUpdate or execute.

Also, your implementation of PreparedStatement is not different from Statement i.e. you are actually not utilizing the power and benefits of PreparedStatement. It should be like

String query = "INSERT INTO productsMaintenance (Code, Description, PriceCurrencyFormat) VALUES (?, ?, ?)";
ps = conn.prepareStatement(query);
ps.setString (1, p.getCode());
ps.setString (2, p.getDescription());
ps.setString (3, p.getPriceCurrencyFormat());

// execute the PreparedStatement
ps.execute();

This way you can prevent the attempt of SQL injection as well as you can get rid of inserting ' explicitly before and after each data.

Check this to learn more about it.

Arvind Kumar Avinash
  • 71,965
  • 6
  • 74
  • 110