Unable to Get the Proper Result : SQL Query Help Needed
-
Dear All,
rs3=st.executeQuery("select * from "+sdata[j]+" where Username='"+idata[i]+"'");
while(rs3.next())
{%><%out.println(rs3.getString("Final\_Grade"));%><% }In the above JSP Code,sdata[j] is the array of table names and idata[i] is the array of usernames. what i am trying to achieve is, to retrieve final_grade from the tables sdata[j] with the username==idata[i] . Since the username is existing in some table it displays the final grade, but when no record found in the table i want print it as "Null" instead of Final_Grade . Is this possible to implement?
-
Dear All,
rs3=st.executeQuery("select * from "+sdata[j]+" where Username='"+idata[i]+"'");
while(rs3.next())
{%><%out.println(rs3.getString("Final\_Grade"));%><% }In the above JSP Code,sdata[j] is the array of table names and idata[i] is the array of usernames. what i am trying to achieve is, to retrieve final_grade from the tables sdata[j] with the username==idata[i] . Since the username is existing in some table it displays the final grade, but when no record found in the table i want print it as "Null" instead of Final_Grade . Is this possible to implement?
Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query. Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^] How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^] Query Parameterization Cheat Sheet | OWASP[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Dear All,
rs3=st.executeQuery("select * from "+sdata[j]+" where Username='"+idata[i]+"'");
while(rs3.next())
{%><%out.println(rs3.getString("Final\_Grade"));%><% }In the above JSP Code,sdata[j] is the array of table names and idata[i] is the array of usernames. what i am trying to achieve is, to retrieve final_grade from the tables sdata[j] with the username==idata[i] . Since the username is existing in some table it displays the final grade, but when no record found in the table i want print it as "Null" instead of Final_Grade . Is this possible to implement?
Just count the returned rows:
int count = 0;
while (rs3.next())
{
count++;
// Access row data here
}
if (count == 0)
{
// No matching row found
%>Null<%
}
