Thread: How does postgres handle non literal string values

How does postgres handle non literal string values

From
monroy@mindspring.com (javaholic)
Date:
Hi All,

I have some jsp code that should insert a user name and password into
a table called login.

Instead of inserting the values given by the client, it insert the
literal string 'username' and 'password. The problem is somewhere in
the INSERT statement.

Here is the code:

<%@page contentType="text/html"%>
<%@page import="java.io.*" %>
<%@page import="java.sql.*" %>
<%@page import="java.util.*" %>

<html>
<head><title>JSP login</title></head>
<body>

<%-- <jsp:useBean id="beanInstanceName" scope="session"
class="package.class" /> --%>
<%-- <jsp:getProperty name="beanInstanceName"  property="propertyName"
/> --%>

<%
String username = request.getParameter("username");
String password = request.getParameter("password");
String confirmpw = request.getParameter("password2");
String dbName = "storedb";


Connection conn = null;
Statement stmt = null;


String usr = "postgres";
String passwd = "Wimdk12";

if (username != null)   username = username.trim();
if (password != null)   password = password.trim();
if(confirmpw != null)   confirmpw = confirmpw.trim();
if (username != null &&       username.length() > 0) {       if (password != null &&           password.length() > 0) {
         if (confirmpw != null &&               confirmpw.length() > 0) {               if (password.equals(confirmpw))
{
%>                       <h1> Loading the driver </h1>
<%                       String url = "jdbc:postgresql:" + dbName;
                       // Load the driver                       Class.forName("org.postgresql.Driver");
     // Connect to database                       conn = DriverManager.getConnection(url, usr,
 
passwd);                       stmt = conn.createStatement();
%>
                      <h1> Connecting to the data base </h1>
<%                       String insertString =                       "INSERT INTO  \"login\" (\'user\', \'password\')
VALUES ('username', 'password')";
%>
                       <h1> Updating table </h1>
<%                           stmt.executeUpdate(insertString);

%>                       <h1> Checking result </h1>
<%                       ResultSet rset = stmt.executeQuery("SELECT *
FROM login");

                       while (rset.next()) {                           System.out.println(
rset.getString("user") + ":" +                               rset.getString("password"));                       }
 
%>                       <h1> Closing connection <h1>
<%                       rset.close();                       stmt.close();                       conn.close();

%>
<h1>Congratulations <%= username %>! your account has been created
</h1>

<%               } else { %>                     <h1>Sorry! Account not created.  passwords do
not match </h1>
<%               }             } else {  %>                      <h1>Sorry! Account not
created.  passwords do not match </h1>
<%               }             } else {  %>                    <h1>Sorry! Account not created. Please enter a
confirmation password </h1>
<%               }             } else { %>                    <h1>Sorry! Account not created. Please enter a
password </h1>
<%               }             } else { %>                    <h1>Sorry! Account not created. Please enter a
username </h1>
<%               }  %>
</body>
</html>

Any help on this is greatly appreciated.


Re: How does postgres handle non literal string values

From
"Henshall, Stuart - Design & Print"
Date:
<p><font size="2">I'm guessing it would have to be more like:</font><br /><font size="2"><%</font><br /><font
size="2">                       String insertString =</font><br /><font size="2">                        "INSERT INTO 
\"login\"(\'user\', \'password\')</font><br /><font size="2">VALUES ('"+username+"', '"+password+"')";</font><br
/><fontsize="2">%></font><br /><font size="2">to actually concatonate a string including the username & password
variables,however I've not really used Java much so you might want to ask on the pgsql-jdbc@postgresql.org
list.</font><p><fontsize="2">hth,</font><br /><font size="2">- Stuart</font><p><font size="2">monroy@mindspring.com
wrote:</font><br/><font size="2">> Hi All,</font><br /><font size="2">> </font><br /><font size="2">> I have
somejsp code that should insert a user name and password into</font><br /><font size="2">> a table called login.
</font><br/><font size="2">> </font><br /><font size="2">> Instead of inserting the values given by the client,
itinsert the</font><br /><font size="2">> literal string 'username' and 'password. The problem is somewhere
in</font><br/><font size="2">> the INSERT statement. </font><br /><font size="2">> </font><br /><font
size="2">>Here is the code:</font><br /><font size="2">> </font><br /><font size="2">> <%@page
contentType="text/html"%></font><br/><font size="2">> <%@page import="java.io.*" %></font><br /><font
size="2">><%@page import="java.sql.*" %></font><br /><font size="2">> <%@page import="java.util.*"
%></font><br/><font size="2">> </font><br /><font size="2">> <html></font><br /><font size="2">>
<head><title>JSPlogin</title></head></font><br /><font size="2">> <body></font><br
/><fontsize="2">> </font><br /><font size="2">> <%-- <jsp:useBean id="beanInstanceName"
scope="session"</font><br/><font size="2">> class="package.class" /> --%> <%--
<jsp:getProperty</font><br/><font size="2">> name="beanInstanceName"  property="propertyName" /> --%>
</font><br/><font size="2">> </font><br /><font size="2">> <%</font><br /><font size="2">> String username
=request.getParameter("username");</font><br /><font size="2">> String password =
request.getParameter("password");</font><br/><font size="2">> String confirmpw = request.getParameter("password2");
StringdbName =</font><br /><font size="2">> "storedb"; </font><br /><font size="2">> </font><br /><font
size="2">></font><br /><font size="2">> Connection conn = null;</font><br /><font size="2">> Statement stmt =
null;</font><br/><font size="2">> </font><br /><font size="2">> </font><br /><font size="2">> String usr =
"postgres";</font><br/><font size="2">> String passwd = "Wimdk12";</font><br /><font size="2">> </font><br
/><fontsize="2">> if (username != null)</font><br /><font size="2">>     username = username.trim();</font><br
/><fontsize="2">> if (password != null)</font><br /><font size="2">>     password = password.trim();</font><br
/><fontsize="2">> if(confirmpw != null)</font><br /><font size="2">>     confirmpw = confirmpw.trim();</font><br
/><fontsize="2">> if (username != null &&</font><br /><font size="2">>         username.length() > 0)
{</font><br/><font size="2">>         if (password != null &&</font><br /><font size="2">>            
password.length()> 0) {</font><br /><font size="2">>             if (confirmpw != null &&</font><br
/><fontsize="2">>                 confirmpw.length() > 0) {</font><br /><font size="2">>                 if
(password.equals(confirmpw)){</font><br /><font size="2">> %></font><br /><font
size="2">>                        <h1> Loading the driver </h1> <%</font><br /><font
size="2">>                        String url = "jdbc:postgresql:" + dbName;</font><br /><font size="2">>
</font><br/><font size="2">>                         // Load the driver</font><br /><font
size="2">>                        Class.forName("org.postgresql.Driver");</font><br /><font
size="2">>                        // Connect to database</font><br /><font size="2">>                        
conn= DriverManager.getConnection(url, usr,</font><br /><font size="2">>                         passwd); stmt =
conn.createStatement();%></font><br /><font size="2">> </font><br /><font size="2">>                       
<h1>Connecting to the data base </h1> <%</font><br /><font size="2">>                         String
insertString=</font><br /><font size="2">>                         "INSERT INTO  \"login\" (\'user\',</font><br
/><fontsize="2">> \'password\') VALUES ('username', 'password')";</font><br /><font size="2">> %></font><br
/><fontsize="2">> </font><br /><font size="2">>                         <h1> Updating table
</h1></font><br/><font size="2">> <%</font><br /><font size="2">>                            
stmt.executeUpdate(insertString);</font><br/><font size="2">> </font><br /><font size="2">> %></font><br
/><fontsize="2">>                         <h1> Checking result </h1></font><br /><font size="2">>
<%</font><br/><font size="2">>                         ResultSet rset = stmt.executeQuery("SELECT *</font><br
/><fontsize="2">> FROM login"); </font><br /><font size="2">> </font><br /><font size="2">> </font><br /><font
size="2">>                        while (rset.next()) {</font><br /><font size="2">>                            
System.out.println(</font><br/><font size="2">>                                 rset.getString("user") + ":"
+</font><br/><font size="2">>                                 rset.getString("password"));         </font><br
/><fontsize="2">> } %></font><br /><font size="2">>                         <h1> Closing connection
<h1><%</font><br /><font size="2">>                         rset.close();</font><br /><font
size="2">>                        stmt.close();</font><br /><font size="2">>                        
conn.close();</font><br/><font size="2">> </font><br /><font size="2">> %></font><br /><font size="2">>
<h1>Congratulations<%= username %>! your account has been created</font><br /><font size="2">>
</h1></font><br /><font size="2">> </font><br /><font size="2">> <%</font><br /><font
size="2">>                } else { %></font><br /><font size="2">>                       <h1>Sorry!
Accountnot created.  passwords do</font><br /><font size="2">> not match </h1> <%</font><br /><font
size="2">>                }</font><br /><font size="2">>               } else {  %>                     
<h1>Sorry!Account not</font><br /><font size="2">> created.  passwords do not match </h1></font><br
/><fontsize="2">> <%</font><br /><font size="2">>                 }</font><br /><font
size="2">>              } else {  %></font><br /><font size="2">>                      <h1>Sorry!
Accountnot created. Please enter a</font><br /><font size="2">> confirmation password </h1> <%</font><br
/><fontsize="2">>                 }</font><br /><font size="2">>               } else { %></font><br /><font
size="2">>                     <h1>Sorry! Account not created. Please enter a</font><br /><font size="2">>
password</h1> <%</font><br /><font size="2">>                 }</font><br /><font
size="2">>              } else { %></font><br /><font size="2">>                      <h1>Sorry! Account
notcreated. Please enter a</font><br /><font size="2">> username </h1> <%</font><br /><font
size="2">>                }  %></font><br /><font size="2">> </body></font><br /><font size="2">>
</html></font><br/><font size="2">> </font> 

Re: How does postgres handle non literal string values

From
Richard Huxton
Date:
On Monday 25 Nov 2002 12:57 pm, javaholic wrote:
> Hi All,
>
> I have some jsp code that should insert a user name and password into
> a table called login.
>
> Instead of inserting the values given by the client, it insert the
> literal string 'username' and 'password. The problem is somewhere in
> the INSERT statement.

>                         String insertString =
>                         "INSERT INTO  \"login\" (\'user\', \'password\')
> VALUES ('username', 'password')";

You're creating an insertString with the literal words "username" and
"password" in them. This is a java issue, not a PG issue. You'll want
something like (sorry if syntax is wrong, but I don't do Java):

String insertString = "Insert INTO ... VALUES ('" + sql_escaped(username) +
"')..."

You *will* want to escape the username and password otherwise I'll be able to
come along and insert any values I like into your database. I can't believe
the JDBC classes don't provide

1. Some way to escape value strings
2. Some form of placeholders to deal with this

--  Richard Huxton


Re: How does postgres handle non literal string values

From
"Charles H. Woloszynski"
Date:
Actually, we use JDBC Prepared Statements for this type of work.  You 
put a query with '?' in as placeholders and then add in the values and 
the library takes care of the encoding issues.  This avoids the double 
encoding of (encode X as String, decode string and encode as SQL X on 
the line).  There was a good article about a framework that did this in  
JavaReport about a 18 months ago.  

We have gleaned some ideas from that article to create a framework 
around using PreparedStatements as the primary interface to the 
database.  I'd suggest looking at them.  They really make your code much 
more robust.

Charlie


>"')..."
>
>You *will* want to escape the username and password otherwise I'll be able to 
>come along and insert any values I like into your database. I can't believe 
>the JDBC classes don't provide 
>
>1. Some way to escape value strings
>2. Some form of placeholders to deal with this
>
>  
>

-- 


Charles H. Woloszynski

ClearMetrix, Inc.
115 Research Drive
Bethlehem, PA 18015

tel: 610-419-2210 x400
fax: 240-371-3256
web: www.clearmetrix.com






Re: How does postgres handle non literal string values

From
"Rob Hills"
Date:
Hi,

On 25 Nov 2002 at 4:57, javaholic wrote:

Your problem is really a JSP one rather than a postgres problem, and probably doesn't 
really belong on this list.  That said, I know much more java/jsp than I do postgres, so I'll 
try and help.

> I have some jsp code that should insert a user name and password into
> a table called login.
> 
> Instead of inserting the values given by the client, it insert the
> literal string 'username' and 'password. The problem is somewhere in
> the INSERT statement.

Yup, your INSERT statement is doing exactly what you've asked it to do, inserting the 
literal strings 'username' and 'password' into the table.

> <%
>                         String insertString =
>                         "INSERT INTO  \"login\" (\'user\', \'password\')
> VALUES ('username', 'password')";
> %>

To do it correctly using JSP, try the following:

<% String insertString = "INSERT INTO  \"login\" (\'user\', \'password\')         VALUES ('" + username + "', '" +
password+ "')"; 
 
%>  

However, you would probably be better off using a PreparedStatement object rather 
than a Statement for various reasons, but especially to avoid trying to get the single- 
and double-quotes right in the above statement.

HTH,


Rob Hills
MBBS, Grad Dip Com Stud, MACS
Senior Consultant
Netpaver Web Solutions
Tel:    (0412) 904 357
Fax:    (08) 9485 2555
Email:    rob@netpaver.com.au



Re: How does postgres handle non literal string values

From
Vernon Wu
Date:
In general, it isn't a good idea to have SQL statements in JSP files. A good practise is using Mode 2. The Struts is a

popular Mode 2 framework. If your application is very small and it won't grow into a big one, you can get around using

Mode 1. In the situation, the SQL tags of JSTL will be a recommeded mechanism.

11/26/2002 8:05:27 AM, "Charles H. Woloszynski" <chw@clearmetrix.com> wrote:

>Actually, we use JDBC Prepared Statements for this type of work.  You 
>put a query with '?' in as placeholders and then add in the values and 
>the library takes care of the encoding issues.  This avoids the double 
>encoding of (encode X as String, decode string and encode as SQL X on 
>the line).  There was a good article about a framework that did this in  
>JavaReport about a 18 months ago.  
>
>We have gleaned some ideas from that article to create a framework 
>around using PreparedStatements as the primary interface to the 
>database.  I'd suggest looking at them.  They really make your code much 
>more robust.
>
>Charlie
>
>
>>"')..."
>>
>>You *will* want to escape the username and password otherwise I'll be able to 
>>come along and insert any values I like into your database. I can't believe 
>>the JDBC classes don't provide 
>>
>>1. Some way to escape value strings
>>2. Some form of placeholders to deal with this
>>
>>  
>>
>
>-- 
>
>
>Charles H. Woloszynski
>
>ClearMetrix, Inc.
>115 Research Drive
>Bethlehem, PA 18015
>
>tel: 610-419-2210 x400
>fax: 240-371-3256
>web: www.clearmetrix.com
>
>
>
>
>
>---------------------------(end of broadcast)---------------------------
>TIP 5: Have you checked our extensive FAQ?
>
>http://www.postgresql.org/users-lounge/docs/faq.html
>





Re: How does postgres handle non literal string values

From
"Charles H. Woloszynski"
Date:
Vernon:

Agreed.  We use Struts (as our MVC framework), and then a data access 
layer (we call persistables) that uses the PreparedStatements. Our JSPs 
only get data to render *after* the business logic has decided that all 
logic has been performed successfully.

The end-result is easily compartmentalized code (lots of code factoring) 
that makes for very robust applications.  We are working on moving this 
framework to PostgreSQL (from Oracle) and we expect to have to touch the 
SQL statements (which are each in their own class, again for re-use) and 
perhaps two or three other classes to deal with any JDBC driver issues.  When we make the transition successfully, I
hopeto be able to 
 
publicize the work and the value of PostgreSQL.

Charlie

Vernon Wu wrote:

>In general, it isn't a good idea to have SQL statements in JSP files. A good practise is using Mode 2. The Struts is a

>popular Mode 2 framework. If your application is very small and it won't grow into a big one, you can get around using

>Mode 1. In the situation, the SQL tags of JSTL will be a recommeded mechanism.
>
>11/26/2002 8:05:27 AM, "Charles H. Woloszynski" <chw@clearmetrix.com> wrote:
>
>  
>
>>Actually, we use JDBC Prepared Statements for this type of work.  You 
>>put a query with '?' in as placeholders and then add in the values and 
>>the library takes care of the encoding issues.  This avoids the double 
>>encoding of (encode X as String, decode string and encode as SQL X on 
>>the line).  There was a good article about a framework that did this in  
>>JavaReport about a 18 months ago.  
>>
>>We have gleaned some ideas from that article to create a framework 
>>around using PreparedStatements as the primary interface to the 
>>database.  I'd suggest looking at them.  They really make your code much 
>>more robust.
>>
>>Charlie
>>
>>
>>    
>>
>>>"')..."
>>>
>>>You *will* want to escape the username and password otherwise I'll be able to 
>>>come along and insert any values I like into your database. I can't believe 
>>>the JDBC classes don't provide 
>>>
>>>1. Some way to escape value strings
>>>2. Some form of placeholders to deal with this
>>>
>>> 
>>>
>>>      
>>>
>>-- 
>>
>>
>>Charles H. Woloszynski
>>
>>ClearMetrix, Inc.
>>115 Research Drive
>>Bethlehem, PA 18015
>>
>>tel: 610-419-2210 x400
>>fax: 240-371-3256
>>web: www.clearmetrix.com
>>
>>
>>
>>
>>
>>---------------------------(end of broadcast)---------------------------
>>TIP 5: Have you checked our extensive FAQ?
>>
>>http://www.postgresql.org/users-lounge/docs/faq.html
>>
>>    
>>
>
>
>
>
>---------------------------(end of broadcast)---------------------------
>TIP 6: Have you searched our list archives?
>
>http://archives.postgresql.org
>  
>

-- 


Charles H. Woloszynski

ClearMetrix, Inc.
115 Research Drive
Bethlehem, PA 18015

tel: 610-419-2210 x400
fax: 240-371-3256
web: www.clearmetrix.com






Re: How does postgres handle non literal string values

From
Vernon Wu
Date:
When the MVC pattern is employed and EJB is absented, the DAO pattern shall be utilized. With this system design, the 
DB routines are isolated from the rest of system for the purpose of "robust" as you mentioned. In the future, you only

need to write another set of DAO implemention if you decide to use another DB, say SAP DB for example. 

A DB connection pool also is desired, which shall take care of the JDBC driver look up.  

12/4/2002 5:00:18 AM, "Charles H. Woloszynski" <chw@clearmetrix.com> wrote:

>Vernon:
>
>Agreed.  We use Struts (as our MVC framework), and then a data access 
>layer (we call persistables) that uses the PreparedStatements. Our JSPs 
>only get data to render *after* the business logic has decided that all 
>logic has been performed successfully.
>
>The end-result is easily compartmentalized code (lots of code factoring) 
>that makes for very robust applications.  We are working on moving this 
>framework to PostgreSQL (from Oracle) and we expect to have to touch the 
>SQL statements (which are each in their own class, again for re-use) and 
>perhaps two or three other classes to deal with any JDBC driver issues. 
>  When we make the transition successfully, I hope to be able to 
>publicize the work and the value of PostgreSQL.
>
>Charlie
>
>Vernon Wu wrote:
>
>>In general, it isn't a good idea to have SQL statements in JSP files. A good practise is using Mode 2. The Struts is
a
 
>>popular Mode 2 framework. If your application is very small and it won't grow into a big one, you can get around 
using 
>>Mode 1. In the situation, the SQL tags of JSTL will be a recommeded mechanism.
>>
>>11/26/2002 8:05:27 AM, "Charles H. Woloszynski" <chw@clearmetrix.com> wrote:
>>
>>  
>>
>>>Actually, we use JDBC Prepared Statements for this type of work.  You 
>>>put a query with '?' in as placeholders and then add in the values and 
>>>the library takes care of the encoding issues.  This avoids the double 
>>>encoding of (encode X as String, decode string and encode as SQL X on 
>>>the line).  There was a good article about a framework that did this in  
>>>JavaReport about a 18 months ago.  
>>>
>>>We have gleaned some ideas from that article to create a framework 
>>>around using PreparedStatements as the primary interface to the 
>>>database.  I'd suggest looking at them.  They really make your code much 
>>>more robust.
>>>
>>>Charlie
>>>
>>>
>>>    
>>>
>>>>"')..."
>>>>
>>>>You *will* want to escape the username and password otherwise I'll be able to 
>>>>come along and insert any values I like into your database. I can't believe 
>>>>the JDBC classes don't provide 
>>>>
>>>>1. Some way to escape value strings
>>>>2. Some form of placeholders to deal with this
>>>>
>>>> 
>>>>
>>>>      
>>>>
>>>-- 
>>>
>>>
>>>Charles H. Woloszynski
>>>
>>>ClearMetrix, Inc.
>>>115 Research Drive
>>>Bethlehem, PA 18015
>>>
>>>tel: 610-419-2210 x400
>>>fax: 240-371-3256
>>>web: www.clearmetrix.com
>>>
>>>
>>>
>>>
>>>
>>>---------------------------(end of broadcast)---------------------------
>>>TIP 5: Have you checked our extensive FAQ?
>>>
>>>http://www.postgresql.org/users-lounge/docs/faq.html
>>>
>>>    
>>>
>>
>>
>>
>>
>>---------------------------(end of broadcast)---------------------------
>>TIP 6: Have you searched our list archives?
>>
>>http://archives.postgresql.org
>>  
>>
>
>-- 
>
>
>Charles H. Woloszynski
>
>ClearMetrix, Inc.
>115 Research Drive
>Bethlehem, PA 18015
>
>tel: 610-419-2210 x400
>fax: 240-371-3256
>web: www.clearmetrix.com
>
>
>
>
>
>---------------------------(end of broadcast)---------------------------
>TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org
>