Re: Insert using connector j?
Posted by: Todd Farmer
Date: July 07, 2014 03:44PM

Hi Branden,

Based on your code, I suspect you're getting SQL syntax error messages (you'll want to do a printStackTrace() or similar in your exception handling code to verify). The cause is improperly-quoted values in the INSERT statement - you probably end up with something like the following:

INSERT INTO employees (ID,name,email,password)
VALUES (1,todd,foo@bar.com,mypassword);

That's going to fail.

It's also a sign that you need to better consider/understand input sanitation and SQL injection attacks. Allowing that this is probably proof-of-concept code, it would be trivial to exploit this in ways you surely would not like. That has implications, as a naive solution to your problem would be to simply add single quotes around the user data, like so:

stmt.executeUpdate("INSERT INTO employees (ID,name,email,password) VALUES ('"+ user[0] +"','"+ user[1] +"','"+ user[2] +"','"+ user[3] +"')");

While this will likely solve the question you are asking about, and eliminate the presumed SQL syntax error, it's entirely unsafe. Don't be tempted to use it. :)

Instead, please consider using prepared statements:

PreparedStatement psmt = conn.prepareStatement("INSERT INTO employees (ID,name,email,password) VALUES (?, ?, ?, ?)");
psmt.setInt(1, user[0]);
psmt.setString(2, user[1]);
psmt.setString(3, user[2]);
psmt.setString(4, user[3]);

(or something similar).

http://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement

Hope that helps!

--
Todd Farmer
MySQL @ Oracle
http://www.oracle.com/mysql/

Options: ReplyQuote


Subject
Written By
Posted
Re: Insert using connector j?
July 07, 2014 03:44PM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.