On 1/22/07, Caldarale, Charles R <[EMAIL PROTECTED]> wrote:
> From: Andy Moller [mailto:[EMAIL PROTECTED] > Subject: Re: Tomcat 4.x (Major Problem) <snip> > String[] value1 = (request.getParameterValues("value_1") != null) > ? request.getParameterValues("value_1") > : new String[0]; <snip> > String singleVal1= value1[i]; <snip> > query= > "insert into sample_table(id,val1,common_name,val2)" > + " values (sequence.nextVal," > + singleVal1 > + ",'" > + commonName > + "','" > + val2[j] > + "')"; <snip> > However, the actual query printout (that cause an exception, and the > behavior I cannot justify) > "insert into sample_table(id,val1,common_name,val2) values( > sequence.nextVal,nameB,'nameA','valueB1')" There's nothing in your code that checks the value_1 parameter set for being numeric or having other inappropriate values; consequently, you're at the mercy of the client to submit valid data. No evidence here of anything but insufficiently robust programming. - Chuck
Andy: this is a premature judgment based on an isolated piece of code. Your argument suggests that the client has control on the data that is being sent while as it is not. The code assumes valid data and errors were trapped on the database level when the statement is executed. The programming tip is appreciated although it is out of context. thanks, Andy THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
