Discussions

Web tier: servlets, JSP, Web frameworks: jsp parameter passing

  1. jsp parameter passing (2 messages)

    i am having trouble passing values through my jsp. i have a first page where the user enters two numbers. then when they submit it, the numbers get passed to the second page. i can successfully have the numbers display on the second page by calling them with the request.getParameter() method. However, my question actually comes with the sql database portion.

    i have this code which calls in the parameters (this part works):

    <%
    String input1, input2;
    input1=request.getParameter("number1");
    input2=request.getParameter("number2");
    %>

    i cant pass those values into the sql though. i want it to work like this:

    select
      values
    from
      tables
    where
      this1 = "input1"(value from above)
     and
      this2 = "input2"(value from above)

    does anyone know the proper syntax for getting those numbers to pass through into the sql? sorry if this is in the wrong forum, but any help would be appreciated, or even telling me what forum i could go to.
    THANKS!
    bob

    Threaded Messages (2)

  2. jsp parameter passing[ Go to top ]

    I am surprised that you are having difficulty with such a simple issue.
    1)Write a canned query amd make it work.
    2)Replace the values in the "WHERE" clause with the variables that hold the request parameter
    How much more simpler can this get ?

    <%
    String input1, input2;
    input1=request.getParameter("number1");
    input2=request.getParameter("number2");
    %>
    <%
    Connection conn = someHowGetAConnection()
    Statement statement = conn.createStatement();
    //OR if you are smart then use a preparedStatement
    String sql = "select values from tables where this1="
     input1 +" and this2 = " + input2 +";"
    statement .executeUpdate(sql);

    %>
  3. jsp parameter passing[ Go to top ]

    I just wanted to stress that you should nearly always use a PreparedStatement since it escapes the data properly before sending it to the DB (and makes sure the format is right).

    Otherwise you could have some "smart" users who would either create invalid SQL's by using special characters or perform unwanted queries by supplying their inner SQLs (security issue!).