java - HTTP Status 500 at line 35 -

when running create-dest.jsp , fill form taking error , can , , suggest me solution?

ps: know coding java in jsp bad...

type exception report

message exception occurred processing jsp page /assets/jsp/create-dest-code.jsp @ line 35

description server encountered internal error prevented fulfilling request.

exception org.apache.jasper.jasperexception: exception occurred processing jsp page /assets/jsp/create-dest-code.jsp @ line 35

32: //out.print(id); 33: if ( cat != null) { 34: for(int i=0;i } else {

stacktrace: org.apache.jasper.servlet.jspservletwrapper.handlejspexception(jspservletwrapper.java:574) org.apache.jasper.servlet.jspservletwrapper.service(jspservletwrapper.java:461) org.apache.jasper.servlet.jspservlet.servicejspfile(jspservlet.java:396) org.apache.jasper.servlet.jspservlet.service(jspservlet.java:340) javax.servlet.http.httpservlet.service(httpservlet.java:729) org.apache.tomcat.websocket.server.wsfilter.dofilter(wsfilter.java:52)

root cause javax.servlet.servletexception: com.mysql.jdbc.exceptions.mysqlsyntaxerrorexception: unknown column 'winter' in 'where clause' org.apache.jasper.runtime.pagecontextimpl.dohandlepageexception(pagecontextimpl.java:909) org.apache.jasper.runtime.pagecontextimpl.handlepageexception(pagecontextimpl.java:838) org.apache.jsp.assets.jsp.create_002ddest_002dcode_jsp._jspservice(create_002ddest_002dcode_jsp.java:173) org.apache.jasper.runtime.httpjspbase.service(httpjspbase.java:70) javax.servlet.http.httpservlet.service(httpservlet.java:729) org.apache.jasper.servlet.jspservletwrapper.service(jspservletwrapper.java:438) org.apache.jasper.servlet.jspservlet.servicejspfile(jspservlet.java:396) org.apache.jasper.servlet.jspservlet.service(jspservlet.java:340) javax.servlet.http.httpservlet.service(httpservlet.java:729) org.apache.tomcat.websocket.server.wsfilter.dofilter(wsfilter.java:52)

root cause com.mysql.jdbc.exceptions.mysqlsyntaxerrorexception: unknown column 'winter' in 'where clause' com.mysql.jdbc.sqlerror.createsqlexception(sqlerror.java:936) com.mysql.jdbc.mysqlio.checkerrorpacket(mysqlio.java:2870) com.mysql.jdbc.mysqlio.sendcommand(mysqlio.java:1573) com.mysql.jdbc.mysqlio.sqlquerydirect(mysqlio.java:1665) com.mysql.jdbc.connection.execsql(connection.java:3118) com.mysql.jdbc.connection.execsql(connection.java:3047) com.mysql.jdbc.statement.executequery(statement.java:1166) org.apache.jsp.assets.jsp.create_002ddest_002dcode_jsp._jspservice(create_002ddest_002dcode_jsp.java:140) org.apache.jasper.runtime.httpjspbase.service(httpjspbase.java:70) javax.servlet.http.httpservlet.service(httpservlet.java:729) org.apache.jasper.servlet.jspservletwrapper.service(jspservletwrapper.java:438) org.apache.jasper.servlet.jspservlet.servicejspfile(jspservlet.java:396) org.apache.jasper.servlet.jspservlet.service(jspservlet.java:340) javax.servlet.http.httpservlet.service(httpservlet.java:729) org.apache.tomcat.websocket.server.wsfilter.dofilter(wsfilter.java:52)

note full stack trace of root cause available in apache tomcat/8.0.33 logs. create-dest.jsp

<form name="createdest" method="get" action="../jsp/create-dest-code.jsp">         country: <input type="text"  required  name="id8" /> <br>         city: <input type="text"  required  name="id9" /> <br>         url video: <input type="url"  required  name="id10" /> <br> <br>         <i><ins>categorize destination (max 2): </ins></i>  <br> <br>         <input type="checkbox" name="dest1" value="winter"  >winter<br>         <input type="checkbox" name="dest1" value="christmas"  >christmas <br>         <input type="checkbox" name="dest1" value="summer"  >summer <br> <br>          <input type="submit" class="button" value="create destination" >  />         <input type="hidden" name="varname" value="" />         </form>

create-dest-code.jsp

<% string id8=request.getparameter("id8"); //country field   string id9=request.getparameter("id9"); //city field string id10=request.getparameter("id10"); //url field string cat[]=request.getparametervalues("dest1"); //categories int status, id , id1=0 ;  class.forname("com.mysql.jdbc.driver");  string mydatabase = "jdbc:mysql://localhost:3306/project_app?user=root&password=1234";  connection myconnection = drivermanager.getconnection(mydatabase); statement mystatement = myconnection.createstatement();   statement mystatement2 = myconnection.createstatement();    string sqlinsert = "insert dest(country,city,url) values ('"+id8+"', '"+id9+"','"+id10+"')"; status = mystatement.executeupdate(sqlinsert); if (status ==0 ) {     throw new sqlexception("insert dest failed!"); }  resultset rs = mystatement.executequery("select iddest dest country='"+id8+"' , city='"+id9+"' , url='"+id10+"'" ); if (rs.next()) {     id=rs.getint(1);       if ( cat != null) {         for(int i=0;i<cat.length;i++) {             rs = mystatement.executequery("select idcategories categories category_name="+cat[i]+" ");             if (rs.next()) {                     id1 = rs.getint(1);             } else {                 throw new sqlexception("error");             }             status = mystatement2.executeupdate("insert dest_has_categories (dest_iddest,categories_idcategories) values ('"+id+"','"+id1+"')");             if ( status ==0 ) {                 throw new sqlexception("insert dest_has_categories failed!");             }         }     } } else {     throw new sqlexception("insert dest failed! no id obtained!"); } mystatement.close(); mystatement2.close(); myconnection.close(); %>

mysql tables :

create table if not exists `project_app`.`dest` (   `iddest` int not null auto_increment,   `country` varchar(45) not null,   `city` varchar(45) not null,   `url` varchar(45) not null,   primary key (`iddest`)) engine = innodb;   -- ----------------------------------------------------- -- table `mydb`.`categories` -- ----------------------------------------------------- create table if not exists `project_app`.`categories` (   `idcategories` int not null,   `category_name` varchar(45) not null,   primary key (`idcategories`)) engine = innodb;   -- ----------------------------------------------------- -- table `mydb`.`dest_has_categories` -- ----------------------------------------------------- create table if not exists `project_app`.`dest_has_categories` (   `dest_iddest` int not null auto_increment,   `categories_idcategories` int not null,   primary key (`dest_iddest`, `categories_idcategories`),   index `fk_dest_has_categories_categories1_idx` (`categories_idcategories` asc),   index `fk_dest_has_categories_dest_idx` (`dest_iddest` asc),   constraint `fk_dest_has_categories_dest`     foreign key (`dest_iddest`)     references `mydb`.`dest` (`iddest`)     on delete no action     on update no action,   constraint `fk_dest_has_categories_categories1`     foreign key (`categories_idcategories`)     references `mydb`.`categories` (`idcategories`)     on delete no action     on update no action) engine = innodb;  insert categories(idcategories,category_name) values (1,'winter'); insert categories(idcategories,category_name) values (2,'christmas'); insert categories(idcategories,category_name) values (3,'summer');

sql injection attack vulnerabilities win:

        rs = mystatement.executequery("[..snip..] category_name="+cat[i]+"");

cat[i] unquoted in query, you're passing in external output directly query, producing following statement:

 select ... category_name=winter

producing exact error message.

ignoring proper sql writing practices, need like:

rs = mystatement.executequery("[..snip..]category_name='"+cat[i]+"' ");                                                        ^----------^

note '.

Search This Blog

Employment

java - HTTP Status 500 at line 35 -

Popular posts from this blog

php - How should I create my API for mobile applications (Needs Authentication) -

5 Reasons to Blog Anonymously (and 5 Reasons Not To)

Google AdWords and AdSense - A Dynamic Small Business Marketing Duo