Sunday, 14 January 2018

java - Having a mySQL error, unknown column where clause





I am currently having a problem selecting a certain item from a
mySQL database. My program is designed to pass a parameter from an android application
to a servlet which then queries the database.



However an error appears on the console
window:

Unknown column '0102310c24' in 'where
clause'



There is only an error when the value I
want to select contains a letter.



When I query
this number 0106172459, the data I want is returned without a problem.



Below is my
servlet.



import
            java.io.*;
import java.util.*;

import
            javax.sql.*;
import javax.servlet.*;
import
            javax.servlet.http.*;
import java.sql.Connection;
import
            java.sql.DriverManager;
import java.sql.ResultSet;
import
            java.sql.SQLException;
import java.sql.Statement;
public class
            DBServlet extends HttpServlet {
public void service(HttpServletRequest
            request,HttpServletResponse response)

throws IOException,
            ServletException{
response.setContentType("text/html");
PrintWriter
            out = response.getWriter();
String
            x=request.getParameter("item");
Connection con = null;
Statement
            stmt = null;
ResultSet rs = null;
try
            {
Class.forName("com.mysql.jdbc.Driver");
con
            =DriverManager.getConnection ("jdbc:mysql://IP/databasename", "username",
            "password");

stmt = con.createStatement();
rs =
            stmt.executeQuery("SELECT * FROM items WHERE item="+x);
// displaying
            records
while(rs.next()){
out.print(rs.getObject(1).toString());
out.print(",");
out.print(rs.getObject(2).toString());
out.print(",");
out.print(rs.getObject(3).toString());
out.print(",");

out.print(rs.getObject(4).toString());
out.print(",");
out.print(rs.getObject(5).toString());
out.print(",");
out.print(rs.getObject(6).toString());
out.print(",");
out.print(rs.getObject(7).toString());
out.print(",");
out.print(rs.getObject(8).toString());
out.print(",");

out.print("\n");
}
}
            catch (SQLException e) {
throw new ServletException("Servlet Could not display
            records.", e);
} catch (ClassNotFoundException e) {
throw new
            ServletException("JDBC Driver not found.", e);
} finally {
try
            {
if(rs != null) {
rs.close();

rs =
            null;
}
if(stmt != null) {
stmt.close();
stmt =
            null;
}
if(con != null) {
con.close();
con =
            null;
}

} catch (SQLException e)
            {}
}
out.close();
}
}


and
I use this to send the value to the
servlet.



List
            nameValuePair = new
            ArrayList();

nameValuePair.add(new
            BasicNameValuePair("item","List nameValuePair = new
            ArrayList();
nameValuePair.add(new
            BasicNameValuePair("item","010238a2cc"));"));


I
will be thankful if anyone could help


class="post-text" itemprop="text">
class="normal">Answer



The value
x should be enclosed in quotes, or a non-numeric value would be
assumed to refer to a column rather than a string
literal.



rs =
            stmt.executeQuery("SELECT * FROM items WHERE item='"+x +
            "'");



Note
that your script appears to be vulnerable to SQL injection, as the value
x has not been escaped but was received from the
Request. It would be better to use a prepared statement
here.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

php - file_get_contents shows unexpected output while reading a file

I want to output an inline jpg image as a base64 encoded string, however when I do this : $contents = file_get_contents($filename); print ...