Passing query parameters rest client

Question

I have a rest service that retrieves data from a database and returns it to the client. i want the client that is invoking the service to pass parameters to use them in sql query select and display the server output in console. this is what i've managed to do:

@GET
    @Path("Result")
    @Produces("application/json")
    public String getPerson(@QueryParam("nom") String nom, @QueryParam("prenom") String prenom) {
        ArrayList <Persons> persons= new ArrayList<Persons>();
        Persons person = new Persons();

        String query = "Select * from persons where nom=' " + nom + "' and prenom ='" + prenom + "'";
        System.out.println(query);
        bdcon = new BDConnexion();
        try {
            conn = BDConnexion.ConnecterBD();
            res = bdcon.getResultSet(query, conn);
            while (res.next()) {
                person.setNom(res.getString(1));
                person.setPrenom(res.getString(2));
                persons.add(person);
            }
        } catch (SQLException ex) {
            Logger.getLogger(PersonService.class.getName()).log(Level.SEVERE, null, ex);
        }
        String json = new Gson().toJson(persons);
        return json;
    }

rest client:

Client client = Client.create();
WebResource webresource = client.resource("http://localhost:8080/PersonServ/rest/Persons/Result")
.queryParam("nom", nom)
.queryParam("prenom",prenom);
ClientResponse response = webresource.accept("application/json").get(ClientResponse.class);
 if (response.getStatus() != 200) {
               throw new RuntimeException("Failed : HTTP error code : "
                + response.getStatus());
            }
            String output = response.getEntity(String.class);

            System.out.println("Output from Server .... \n");
            System.out.println(output);

I'm not getting any errors but the client class is not displaying any results. Can anyone help me?

it just prints the sql query i used it to check my sql syntax — Mina
– Mina, Commented Jun 13, 2016 at 14:05
I know that, I'm asking what it actually prints to see if there is something wrong on the query. — Jorge Campos
– Jorge Campos, Commented Jun 13, 2016 at 14:06
There is your problem then. No query, no data, no return to the json. — Jorge Campos
– Jorge Campos, Commented Jun 13, 2016 at 14:10

Jorge Campos · Accepted Answer · 2016-06-13 16:05:13Z

As discussed in the comments the actual problem is in the query. There are few things that should be fixed also.

First:

String query = "Select * from persons where nom=' " + nom + "' and prenom ='" + prenom + "'";
                                                 ^
                                                 |_ There is an extra space here. Take it out

But this is just to show you that you should be aware of the problems that comes with concatenating parameters in a query.

Second: Your code is prone to SQLInjection as mentioned by @peeskillet in comments. In order to avoid that you should use Prepared Statements, something like this:

conn = BDConnexion.ConnecterBD();
String selectSQL = "select * from persons where nom=? and prenom=?";
PreparedStatement preparedStatement = conn.prepareStatement(selectSQL);
preparedStatement.setString(1, nom);
preparedStatement.setString(2, prenom);
ResultSet rs = preparedStatement.executeQuery(selectSQL);
while (rs.next()) {
   ....

Don't forget to close the resources and the connection on the finnaly block of your try

Third: Initialize the Persons person = new Persons(); inside the while loop. Java work with references so instantiating it outside of the loop you will result in a list filled with objects pointing to the same reference which will result in all objects on your list with the same values (last one of the loop).

Collectives™ on Stack Overflow

Passing query parameters rest client

1 Answer 1

Comments

Hot Network Questions

Collectives™ on Stack Overflow

1 Answer 1

Comments

Related