I’m building a simple java Servlet which passes categories using a URL variable into another Servlet.
For example, in the following code
ResultSet rs = qw.DBquery("select distinct manufacturer from Products order by manufacturer asc");
try {
while (rs.next()) {
table+= "<tr><td><a href=\"getItems?manufacturer="
+ rs.getString("Manufacturer") + "\">"
+ rs.getString("Manufacturer") + "</a></td></tr>\n";
}
}
its output includes:
Adobe
Adobe Acrobat
IBM
IBM - Workstations
IF I click on one, the link gets to the URL as:
http://localhost/getItems?getItems?manufacturer=Adobe%20Acrobat
However, when I get the manufacturer variable and its value
String manufacturer = request.getParameter( "manufacturer" );
ResultSet rs1 = qw.DBquery("select * from products where Manufacturer like '"
+ manufacturer + "'");
the query output fails and doesn’t produce anything if there are spaces in the value of manufacturer. Any ideas or workarounds on how to convert this back? Do I need to do some kind of urldecode?
thanks in advance
The encoding of space in a URL as %20 is correct, and the web application container takes care of URL decoding.
The String
manufacturerin your program should therefore contain ‘Adobe Acrobat’ (with a space). Can you verify that (by logging it to somewhere)?Also, please use bind variables.
Directly interpolating query parameters (without any validation, too!) into SQL leaves you totally open to SQL injection attacks. It is bad for performance, too.