I am developing a web app.... in which there will be a list of users requesting registration ...Wen ever we click on accept all the details must be moved from register table to login table...
PreparedStatement ps=conn.prepareStatement("insert into login(id,FirstName,LastName,Gender,Category,Dateofbirth,Age,Address,Country,State,city,PinCode,EmailId,ContactNo,MobileNo)select * from register ");
i have to insert all data from register table to login table when i click accept. But when i run this the whole table gets copied from register to login table...When i click accept only that particular users details must be moved.... Id must be fetched of that particular user... How to do that. Please someone help me fix this... Thanks in advance....
You should add a WHERE clause to the SQL statement:
INSERT INTO LOGIN (id,FirstName,LastName,Gender, ...)
SELECT * FROM REGISTER WHERE ID=?
then bind the id parameter to the PreparedStatement:
PreparedStatement ps=conn.prepareStatement( ... );
ps.setInt(1, id);
ps.executeUpdate();
This way you are limiting your SELECT to return only the row you are interested in and feeding it into the INSERT.
Related
I am doing an exercise in class to find web page vulnerabilities through a user/password form and we are suppouse to be able to modify columns of a table using SQL injection.
I know the tables of the database, for instance I am trying to modify the table users that has the colums id, password and email.
The problem is that for INSERT, UPDATE or DELETE the server code use the executeUpdate() method and for SELECT use the executeQuery() method which returns the ResultSet, so obviusly when I try someting like:
correctpassword'; UPDATE usuarios SET id='newname' WHERE id='oldname'; --
it returns an error because UPDATE does not return the ResultSet object.
I have also tried nested queries so the main consult would be a SELECT so it would actually return a ResultSet object but it doesnt work either. The query is:
correctpassword'; SELECT id FROM usuarios WHERE id = (SELECT id FROM usuarios WHERE id=?admin?; UPDATE usuarios SET id=?luciareina? WHERE id=?admin?); --
Do you know anyway to do this? Thank you very much in advance!
Depending on the database server you have, you can not have an update statement inside of a select statement.
you should close out the existing query and then do the update
Also, make sure the column you are updating is not an auto generated/key column that is not updatable.
SELECT id FROM usuarios WHERE id = 1; UPDATE usuarios SET id=1 WHERE id=2
You should test your injection directly on server to see if it is valid before testing it via the webpage.
I have developed a java program and I need to update and insert the login details of users. I have two textfields created and two buttons name add user and edit the user. when I type the username and password in the two textfields the user added to the database successfully, the error is in the edit user, I want to update the password of the user based on username,
I'm getting SQL error when trying to update the user,
here is my SQL query for updating the password of a user based on his username,
String sql = "UPDATE Admin SET password='"+JT_pass1.getText()+"' WHERE
username = "+JT_username1.getText();
when i execute im getting this error,
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown column
'sss' in 'where clause'
"sss" is what I entered to username field,
Mysql database I have admin table which consists of two columns admin and username,
I cannot figure out where am I getting wrong, please any help would be highly appreciated.
Your immediate problem is that you forgot to place single quotes around the username in your query. Hence, the database is interpreting sss as a column. But you should really be using prepared statements:
String query = "UPDATE Admin SET password=? WHERE username = ?";
PreparedStatement update = con.prepareStatement(query);
update.setString(JT_pass1.getText());
update.setString(JT_username1.getText());
update.executeUpdate();
There are many advantages to using prepared statements. First, it will automatically take care of proper escaping of strings and other types of data. In addition, it will prevent SQL injection from happening.
To get this to work, you need to add quotes around the username like so:
String sql = "UPDATE Admin SET password='"+JT_pass1.getText()+"' WHERE
username = '"+JT_username1.getText()+"'";
However, updating the database this way is vulnerable to SQL injection, so it would be much better to use Prepared Statements.
To consider "JT_username1.getText()" as a part of you query string, you have to enclose it under proper quotation.
Same like added "JT_pass1.getText()" between single and double quote, you have to add "JT_username1.getText()" as well.
String sql = "UPDATE Admin SET password='" + JT_pass1.getText() + "' WHERE username = '"+JT_username1.getText()+"'";
I am getting familiar with Java through involvement on a servlet web service project that is now up and running. But the stakeholders want a front end that will allow them to examine the audit table set up in a SQL server database. I am trying to quickly put one together in JSP with initial success but now stuck.
I want a drop down list to provide a list of all the users (Unique). I have acheived this using a JSTL taglib method following the link below with the following SQL;
"SELECT DISTINCT(USER_ID) FROM AUDIT_MESSAGE".
http://www.apekshit.com/t/205/JSTL-SQL-Query-Tag-Example
Now I want, when the user clicks on one of the users names it automatically populates another drop down list with a list of times that user logged in with the following SQL;
SELECT SESSION_ID, EventTIME FROM dbo.AUDIT_MESSAGE
WHERE OPERATION = 'loginResponse' AND RESULTS = 'OK'
AND USER_ID = 'firstdropdownlistselection'
Then when an item from the second drop down list option is selected a third SQL statement of;
Select * FROM dbo.AUDIT_MESSAGE
WHERE SESSION_ID = 'seconddropdownlistselection'
This is then used to populate a list box of the Users events at the selected time.
I have found the following link below offering another method but I am unsure whether to continue with the method I have started with or is there a better way. Can someone please advise me on what method would work best?
Multiple ResultSets
Thanks in advance
AJF
You could display the whole database table information(minus the ids) if this is what they want.
If you want to do it in these steps (select user, select session, display information) what you are doing is correct.
I have asked this question and wanted to edit it , however StackOverflow for some reason did not allow me to edit . So here is the edited version
For example a query :
create volatile table testTable as (select * from ... blah blah) ;
select top 10 * from testTable ;
drop table testTable ;
It executes perfect in sql assistance as one session. I am sure it is possible to execute it in Java in one session.
Goal : need to execute it in one session similar to sql assistant so that it is possible to refer to the volatile table in the subsequent select statement. Also the data from the select statement should be saved in the ResultSet
PS
I saw one answer to a similar question about mysql. The trick is to turn on allow multiple queries
String dbUrl = "jdbc:mysql:///test?allowMultiQueries=true";
For teradata specifically,
what is the solution ?
I tried
String dbUrl = "jdbc:odbc:dsn?allowMultiQueries=true";
What is exactly failing?
Is there an error message "testtable doesn't exist"? Then your program closes the connection after each request.
Is the table empty when you do the SELECT? Then you forgot to add ON COMMIT PRESERVE ROWS to the CREATE.
I want to show a attack of sql injection in which when user fill a user login form and submit to java servlet. in login and password filed how we are type a query which is update any other record. I know all column and table names.
for example I am write this query in servlet :
select userid,username from accountinfo where userid='testid' and pass='1234';
update accountinfo set emailid='aar#r.com' where userid='testid2';
but its give Sql Exception how to solve this issue.
Try a single query first:
select userid, username
from accountinfo
where userid='-' and pass='-'
union
select userid, pass
from accountinfo
where userid like 'adm%'
If that gives no exception, present first the query of system tables, and then the above query. Pick an injection of an SQL update for the update accountinfo.