hi, This is a serious security bug, any person can modify the string and send his own sql statement. you might want to write all the sql statements in jsp and take only valid values from the form.
cheers, Nagarajan. > -----Original Message----- > From: A mailing list about Java Server Pages specification and reference > [mailto:[EMAIL PROTECTED]]On Behalf Of Vaishali S. Pandya > Sent: Tuesday, August 13, 2002 7:48 AM > To: [EMAIL PROTECTED] > Subject: Re: "+" sign in query not working > > > THANK YOU VERY MUCH > IT'S WORKING NOW > > THIS IS IN REPORT.JSP > ------------------------------------- > function myreport(){ > qry='select emp_employee_no,emp_blood_group from hrm_employee_mas > where emp_blood_group in ("O+")'; > document.frm1.finalqry.value=qry; > document.frm1.target="_new"; > document.frm1.method="post"; > document.frm1.submit(); > } > > <form name=frm1 type="post"> > <% > String fqry=request.getParameter("finalqry"); > if (fqry==null || fqry.length()==0){ > fqry=""; > } > else > { > response.sendRedirect("crrep.jsp"); > } > %> > > THIS IS IN CRREP.JSP > ------------------------------------- > String qry = request.getParameter("finalqry"); > out.println(qry); > > IT SHOWS ME "O+" HERE WHICH WAS "O " BEFORE > > THANK YOU > > > > > "Kesavanarayanan, > Ramesh To: > "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > (Cognizant)" cc: > <[EMAIL PROTECTED] Subject: RE: "+" > sign in query not working > izant.com> > > 08/13/02 10:34 AM > > > > > > > got it. + symbol in url means that it is a way of appending the query > parameter. so in your case what ever comes after the + symbol will be > treated as a parameter name. > try to pass this as a hidden variable and then check if it works > and let me > know after that > > > Regards > > Ramesh Kesavanarayanan > * [EMAIL PROTECTED] > > > > > > -----Original Message----- > > From: Vaishali S. Pandya [SMTP:[EMAIL PROTECTED]] > > Sent: Tuesday, August 13, 2002 10:38 AM > > To: [EMAIL PROTECTED] > > Subject: Re: "+" sign in query not working > > > > from report.jsp I sendRedirect("crrep.jsp") > > in crrep,jsp I try to getParameter("finalqry") > > finalqry is a hidden field in report.jsp > > here the problem is full finalqry it shows in URL [crrep.jsp?(HERE)] > > I DON'T KNOW WHY THIS HAPPENING > > I don't pass it with crrep.jsp?...... > > and the problem I think is + sign has it's special meaning in URL > > so "O+" in finalqry becomes "O " > > am i right here? > > what to do ? > > pls correct me if i am wrong somewhere. > > > > > > > > > > "Kesavanarayanan, > > Ramesh To: > > "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > > (Cognizant)" cc: > > <[EMAIL PROTECTED] Subject: RE: "+" sign in > > query not working > > izant.com> > > > > 08/12/02 05:33 PM > > > > > > > > > > > > > > are you working in oracle? > > > > > > Regards > > > > Ramesh Kesavanarayanan > > * [EMAIL PROTECTED] > > > > > > > > > > > -----Original Message----- > > > From: sreenath.v [SMTP:[EMAIL PROTECTED]] > > > Sent: Monday, August 12, 2002 5:50 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: "+" sign in query not working > > > > > > hoy madam where were u for long time ! > > > i had asked u to send me th treatment for back pain ! > > > can u send it to me ! > > > > > > > > > ----- Original Message ----- > > > From: "Vaishali S. Pandya" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Monday, August 12, 2002 5:06 PM > > > Subject: "+" sign in query not working > > > > > > > > > > hi friends > > > > i have a trouble in my query > > > > > > > > Select * from EM > > > > Where blood_grp = "O-" > > > > > > > > it gives me proper output all rows having blood group "O-" > > > > > > > > but blood_grp="O+" > > > > is not working. > > > > same for "A-", "B-" and "AB-" is working fine > > > > and "A+", "B+" and "AB+" is not working at all and returns zero > number > > > of > > > > rows > > > > why it is there? > > > > + sign have any meaning in qry? > > > > here this query is working fine backend side if i fier it > directly on > > > > database. > > > > > > > > Thanks in advance > > > > Vaishali > > > > > > ================================================================== > ========= > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > JSP-INTEREST". > For digest: mailto [EMAIL PROTECTED] with body: "set > JSP-INTEREST DIGEST". > Some relevant FAQs on JSP/Servlets can be found at: > > http://archives.java.sun.com/jsp-interest.html > http://java.sun.com/products/jsp/faq.html > http://www.esperanto.org.nz/jsp/jspfaq.jsp > http://www.jguru.com/faq/index.jsp > http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
