Member Avatar for oggiemc

Hi Everybody,

Im having a bit of a problem with an assignment..Im trying to write a JDBC servlet which checks the value of a name in the database against the value inputed in a form..USER and PASS are the values inputted to the by user into the form.. The code is below..But im getting a syntax error on the the italics lines below which says: Syntax error on tokens, (expected instead))
I dont know what is wrong with my syntax here..Can someone help me out please?

try {
                
  stmt = con.createStatement();
  rs = stmt.executeQuery(SELECT * FROM FMC_EMPLOYMENT WHERE SURNAME='" +
  req.getParameter("USER"))+ "' and PASSWORD = '" + req.getParameter("PASS")"');

  while (rs.next())
         out.println("<BR>Name=" + rs.getString("SURNAME") + " " + rs.getString("PASSWORD"));
  }
  • 2 Contributors
  • 4 Replies
  • 80 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by oggiemc

Recommended Answers

All 4 Replies

Member Avatar for masijade

Uhm, forget a quote (") before SELECT?

P.S. Use PreparedStatement.

Member Avatar for oggiemc

Uhm, forget a quote (") before SELECT?

P.S. Use PreparedStatement.

Thanks for reply masijade,

Put in the double quotes but now im getting an error saying:
req (from req.getParameter) cannot be resolved.. And also an error saying:
Syntax error on token ""\'"", delete this ..This error is coming from the quotes at the end of the last line of code i.e the quotes after ("PASS"); ..Theres no backslash here so what is the debugger saying??

P.S Is it necessary to use prepared stmt when im only requesting 2 parameters??

Many thanks
oggie

out.println("Connection Successful..... creating statement....");
      	     		stmt = con.createStatement();
	     		    rs = stmt.executeQuery("SELECT * FROM FMC_EMPLOYMENT WHERE FIRSTNAME='" + 
	     		    req.getParameter("USER") + "' and PASSWORD = '" + req.getParameter("PASS")"'");
Member Avatar for masijade

Regardless of the amount of input parameters use PreparedStatement. What if getParameter on USER return ';delete * from FMC_EMPLOYMENT;-- ? Or, more innocently, either one contains a simple "single quote" (')? PreparedStatement will prevent this sort of thing. It is not perfect in preventing SQL injection attacks, but it definately helps.

As far as the errors, then "req" is not defined in this scope.
And you forgot a quote (") at the end of the statement, before the closing paren. (And you forgot a plus (+) between the get parameter and that closing string.)

You need to look at your code more carefully.

Member Avatar for oggiemc

Thanks masijade for that..New to programming so its not very good at all..Thanks for tips..Got it working now :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.