getString from ResultSet with spaces

Question

I'm managing a JDBC database with Servlets/JSPs and one of the attributes I have in a table is a string which may or may not have spaces in between words. I have one JSP to display all the information and another one to edit it, on both I perform getString to a ResultSet and when I'm just displaying it it works fine, but on the edit JSP it only "grabs" the first word before the space and the rest of the string disappears. Here's part of the code:

PerfilUsuarioConectado.jsp (the one I use to display the data)

<%
    Connection conexion = DriverManager.getConnection("jdbc:odbc:gasteizcar", "", "");
    Statement set = conexion.createStatement();
    ResultSet rs = set.executeQuery("SELECT * FROM Usuario WHERE correoElectronico ='" + session.getAttribute("username") + "'");
    rs.next();
%>
<div id="principal">
    <table border="1" align="center">
        <tr>
            <td> Nombre: </td>
            <td> <%= rs.getString("nombre")%>
        </tr>
        <tr>
            <td> Apellidos: </td>
            <td> <%= rs.getString("apellidos")%>
        </tr>
        <tr>
            <td> E-mail: </td>
            <td> <%= rs.getString("correoElectronico")%>
        </tr>
        <tr>
            <td> Alias: </td>
            <td> <%= rs.getString("alias")%>
        </tr>
        <tr>
            <td> Nº móvil: </td>
            <td> <%= rs.getString("movil")%>
        </tr>
        <tr>
            <td> Coche: </td>
            <td> <%= rs.getString("marca") + " " + rs.getString("modelo") + " " + rs.getString("color")%>
        </tr>
    </table>
</div>

ModificarDatos.jsp (the one to edit the data)

<%
    Connection conexion = DriverManager.getConnection("jdbc:odbc:gasteizcar", "", "");
    Statement set = conexion.createStatement();
    ResultSet rs = set.executeQuery("SELECT * FROM Usuario WHERE correoElectronico ='"
            + session.getAttribute("username") + "'");
    int i = 0;
    rs.next();
    String marca = rs.getString("marca");
    String modelo = rs.getString("modelo");
    String color = rs.getString("color");
    String movil = rs.getString("movil");
%>
<div id="principal">
    <form id="datos" action="ModificarDatos" method="post">
        <table border="1" align="center">
            <tr>
                <td> * Verificar con contraseña: </td>
                <td> <input pattern="[a-zA-Z0-9 ]{3,12}" type="password" id="password" name="password" required></td>
            </tr>
            <tr>
                <td> ** Nueva contraseña: </td>
                <td> <input pattern="[a-zA-Z0-9 ]{3,12}" type="password" id="nuevaContrasenia" name="nuevaContrasenia"> </td>
            </tr>
            <tr>
                <td> ** Repita la contraseña: </td>
                <td> <input pattern="[a-zA-Z0-9 ]{3,12}" type="password" id="repContrasenia" name="repContrasenia"> </td>
            </tr>
            <tr>
                <td> * Nº de móvil: </td>
                <td> <input pattern="[0-9]{9}" type="text" name="movil" id="movil" required value=<%= movil%>> </td>
            </tr>
            <tr>
                <td> *** Marca del coche: </td>
                <td> <input type="text" name="marca" id="marca" value=<%= marca%>> </td>
            </tr>
            <tr>
                <td> *** Modelo del coche: </td>
                <td> <input type="text" name="modelo" id="modelo" value=<%= modelo%>> </td>
            </tr>
            <tr>
                <td> *** Color: </td>
                <td> <input type="text" name="color" id="color" value=<%= color%>> </td>
            </tr>
        </table>
</div>
<input type="button" id="bActualizar" value="Actualizar datos">

So, if anyone can tell me why does the getString method perform differently in both situations I'd be really grateful.

Answer 1

The error is in these lines:

<input pattern="[0-9]{9}" type="text" name="movil" id="movil" required value=<%= movil%>>

If your variable movil contains abc def, say, then the HTML generated will be this:

<input pattern="[0-9]{9}" type="text" name="movil" id="movil" required value=abc def>

This then sets the value of the input to abc and creates another attribute def, which isn't recognised and will be ignored. In fact, the Markdown syntax highlighting on Stack Overflow points this out: abc is blue, for a value, and def is red, for an attribute name.

At the very least, you need to put quotes around the <%= movil %>:

<input pattern="[0-9]{9}" type="text" name="movil" id="movil" required value="<%= movil%>">

If movil contains abc def, this time, the output will be

<input pattern="[0-9]{9}" type="text" name="movil" id="movil" required value="abc def">

Now you can see that the value has been written correctly.

---

Aside from this, there are a further couple of comments I'd like to make:

• Firstly, your code is vulnerable to SQL injection. If your username session variable ends up as something like test' OR 1=1 --, all results from the database will be returned. Worse still, if it is something like test'; DROP TABLE Usuario;--, you could lose data. Use PreparedStatements instead.

• Secondly, as pointed out by Aniket in a comment, you really shouldn't be using scriptlets <% ... %> in JSPs any more. Instead, you should be using JSTL tags and EL expressions. The question linked to by Aniket is a good place to start.

I appreciate this may be your first JSP application. Once you've got it working, however, I'd recommend that you consider making these changes.

Answer 2

The purpose of getString () method in ResultSet class is used return the data from the column you specified as String. It can take two arguments sch as

String getString(String columnLabel) throws SQLException

String getString(String columnIndex) throws SQLException

The first one is to iterate the ResultSet using the column for ex as you specified

String marca = rs.getString("marca");

the second one could be like this

String marca = rs.getString(1);

Also iterate the result set entirely until rs.next to get all the values from the table.More information here

Hope it helps !!