Update primary key in jsp

Question

1.00/5 (1 vote)

See more:

i have created a table which is primary key on id(coloum) and i want to update it
with query it is showing me

Parameter index out of range (1 > number of parameters, which is 0).

<%

				int status = 0;
				String id = request.getParameter("id");
				int id2 =Integer.parseInt(id);
				
				String productquantity2 = request.getParameter("productquantity");
				String productsize = request.getParameter("productsize");
				String imageurl = request.getParameter("imageurl");
				String productname = request.getParameter("productname");
				String productcode = request.getParameter("productcode");
			
				
				
				//out.println("id"+id);
				//out.println("productquantity"+productquantity2);
				//out.println("productsize"+productsize);
						 //out.println(query);
				 String query = "update cart" + name + " set productname="+productname+" ,productquantity=" + productquantity2 + " ,productsize = "+ productsize + " ,productcode = "+productcode+",imageurl="+imageurl+" where id=" + id2;
		
				

				try {
					Connection con = UserConnection.Connector();
					PreparedStatement ps = con.prepareStatement(query);
					ps.setString(1, productname);
					ps.setString(2, productquantity2);
					ps.setString(3, productsize);
					ps.setString(4, productcode);
					ps.setString(5, imageurl);
					ps.setInt(6, id2);
					ps.executeUpdate();
		
					out.println("updated");
					/* if (status > 0) {
						response.sendRedirect("../Jsp/Product.jsp");
						out.println("updated");
						System.out.println(status);
					}else{
						out.println(" not updated");
					} */

				} catch (Exception ex) {
					System.out.println(ex);
				} 
%>

What I have tried:

i have tryed this and i dont know what to do

Posted 1-Nov-18 11:13am

User 14008390

Updated 2-Nov-18 4:15am

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Accepted Answer · 2018-11-02T04:16:00

Quote:

String query = "update cart" + name + " set productname="+productname+" ,productquantity=" + productquantity2 + " ,productsize = "+ productsize + " ,productcode = "+productcode+",imageurl="+imageurl+" where id=" + id2;

That's not how parameters work. Your code is injecting the values directly into the query, which leaves you vulnerable to SQL Injection.

When you pass that query to the PreparedStatement, it sees that there are no parameter placeholders in the query. When you then try to set the value of the first parameter, you get an exception because there are no parameters.

Update your query to use proper parameter placeholders:

String query = "update cart set productname = ?, productquantity = ?, productsize = ?, productcode = ?, imageurl = ? where id = ?";

This will fix your error, and the SQL Injection vulnerability in your code.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]