Hi Everybody,

Im having a bit of a problem with an assignment..Im trying to write a JDBC servlet which checks the value of a name in the database against the value inputed in a form..USER and PASS are the values inputted to the by user into the form.. The code is below..But im getting a syntax error on the the italics lines below which says: Syntax error on tokens, (expected instead))
I dont know what is wrong with my syntax here..Can someone help me out please?

try {
  stmt = con.createStatement();
  rs = stmt.executeQuery(SELECT * FROM FMC_EMPLOYMENT WHERE SURNAME='" +
  req.getParameter("USER"))+ "' and PASSWORD = '" + req.getParameter("PASS")"');

  while (rs.next())
         out.println("<BR>Name=" + rs.getString("SURNAME") + " " + rs.getString("PASSWORD"));
7 Years
Discussion Span
Last Post by oggiemc

Uhm, forget a quote (") before SELECT?

P.S. Use PreparedStatement.

Thanks for reply masijade,

Put in the double quotes but now im getting an error saying:
req (from req.getParameter) cannot be resolved.. And also an error saying:
Syntax error on token ""\'"", delete this ..This error is coming from the quotes at the end of the last line of code i.e the quotes after ("PASS"); ..Theres no backslash here so what is the debugger saying??

P.S Is it necessary to use prepared stmt when im only requesting 2 parameters??

Many thanks

out.println("Connection Successful..... creating statement....");
      	     		stmt = con.createStatement();
	     		    rs = stmt.executeQuery("SELECT * FROM FMC_EMPLOYMENT WHERE FIRSTNAME='" + 
	     		    req.getParameter("USER") + "' and PASSWORD = '" + req.getParameter("PASS")"'");

Regardless of the amount of input parameters use PreparedStatement. What if getParameter on USER return ';delete * from FMC_EMPLOYMENT;-- ? Or, more innocently, either one contains a simple "single quote" (')? PreparedStatement will prevent this sort of thing. It is not perfect in preventing SQL injection attacks, but it definately helps.

As far as the errors, then "req" is not defined in this scope.
And you forgot a quote (") at the end of the statement, before the closing paren. (And you forgot a plus (+) between the get parameter and that closing string.)

You need to look at your code more carefully.


Thanks masijade for that..New to programming so its not very good at all..Thanks for tips..Got it working now :)

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.