How to take data from some input text and send it to mysql in java REST

0

I have this done in Servlets , index.jsp where are the inputs, a connection class, another that processes the upload and the servlet , however I'm inserting in the REST services, my goal is to upload data to a mysql database and perform queries (now with REST and avoid Servlets).

My steps so far were these:

1) I created a class with @GET , @Path , etc, which works with the jersey and jsr 311 libraries.

2) The xml.

3) I created a connection class.

4) I created a class called Person where the setters & getters, as name and apill.

5) I am creating a class that takes as parameters the person class to be able to access it and to be inserted.

However using Servlets I understand it better because I use request.getParameter("inputDelHTML");

I do not know what to use to process the info and send it to the DB. The file with the @GET is very good, I imagine that with the @POST it will also work well, however I am stuck and with other queries.

General questions:

a) How do I take that data from an input in an HTML and send it to the DB? (As I did with Servlets)

b) Am I mistaken in the concept?

c) Am I obliged to use @PathParam , @QueryParam , @FormParam ? (I need sincerity because I would not mind changing, I just have to get used to it.)

d) In general, when you create a REST service in java, you use an html file or a jsp? I consult because in a class systems that I had not touched the jsp, when I asked why they chose html and not jsp alluded to that "brings confusion", this question is of absolute ignorance of mine.

Update, why do not the variables function in the background return work, do they not work within the insert function that I describe below? If I leave it without variables it works excellent, I tried to check the quotes and I can not find the error. Eclipse also does not mark me an error when including those variables within the try / if, since I do not get an error and change the color, but they work.

    @POST
    @Path("/insertarEmpleado")
    @Produces(MediaType.TEXT_HTML)
    public String insertarEmpleado(@FormParam("usuario") String usuario , @FormParam("pass") String pass ){

        try
            {

            ConexionAeropuerto c= new ConexionAeropuerto();
            Connection con= c.connectarAhora();

            if(con!=null)
                    {
                        Statement st;
                        st=con.createStatement();

                        //Esta de acá es la que quiero que me funcione y no lo hace, la consulta no se realiza, por más que haya revisado todo no encuentro la solución, revisé comillas etc.

                        st.executeUpdate("INSERT INTO empleados(usuario,pass) VALUES('" + usuario + "','" + pass + ")'");

                        //Esta consulta comentada acá abajo se inserta perfectamente al localhost, pero sólo si la dejo lisa y sin variables)
                        //st.executeUpdate("INSERT INTO empleados(usuario,pass) VALUES('des','mo')");
                        st.close(); 
                    } 
            else
                    {
                        System.out.println("Algo Salió mal no se pudo insertar los datos");
                    }
            }
            catch (SQLException e) 

                    {
                        e.printStackTrace();
                    }

            //Este de acá funciona excelente imprime las variable tal cual.
            return "<html>" + "<body><h3>" + "El nombre del empleado es: "  + usuario + "<br>"+ "El apellido del empleado es: " + pass + "</h3></body>" + "</html>";

        }
    
asked by berlot83 04.03.2017 в 16:40
source

1 answer

0

The query syntax is wrong: The quote that closes is out of parentheses and should be inside.

//Incorrecto
st.executeUpdate("INSERT INTO empleados(usuario,pass) VALUES('" + usuario + "','" + pass + ")'");

It should be:

//Correcto
    st.executeUpdate("INSERT INTO empleados(usuario,pass) VALUES('" + usuario + "','" + pass + "')");

On the other hand it is very bad practice to use con.createStatement have you heard about SQLInjection? sql injection Concatenating variables directly in the query is a very big risk.

I recommend using preparedStatement:

PreparedStatement stmt = connection.prepareStatement("INSERT INTO empleados(usuario,pass) VALUES(?,?)");
stmt.setString(1, usuario);
stmt.setString(2, pass);
int cant = stmt.executeUpdate();

Also I leave a good link where he talks about rest services with jersey jersey docs

    
answered by 29.12.2017 в 19:27