INFO: Server startup in 1054 ms java.sql.SQLException: ORA-00904: "USHA": invalid identifier

Question

i am trying to execute a simple servlet program (in eclipse10.0 oracle10g, tomcat6.0 ), retrieving data from a table.but i am unable to do .checked with many forums n my code but still i am getting the same..plz help me. my code is

 entermail.html

<body>
    <form action="getdata">
    <p> Plz enter Your name ID Below to get your Details</p> 
     <input type="text" name="uname" >
     <input type="submit" value="G@">

    </form>
  </body>

<servlet>
    <servlet-name>MyServletdb</servlet-name>
    <servlet-class>com.myservlets.demo.Servletdb</servlet-class>
  </servlet>

    <servlet-mapping>
    <servlet-name>MyServletdb</servlet-name>
    <url-pattern>/getdata</url-pattern>
  </servlet-mapping>    
  <welcome-file-list>
    <welcome-file>enteremail.html</welcome-file>
  </welcome-file-list>
</web-app>




public class Servletdb extends HttpServlet {

    private static final long serialVersionUID = 1L;
    Connection con;
    Statement st;
    ResultSet rs;
    PrintWriter out;
    String s1="jdbc:oracle:thin:@localhost:1521:XE",name;
    String s2="system";
    String s3="orclpass";

    public void init(ServletConfig sc) throws ServletException {
        // DB connection code
        try{
            Class.forName("oracle.jdbc.driver.OracleDriver");
            con=DriverManager.getConnection(s1,s2,s3);
            st=con.createStatement();
            super.init(sc);

        }
        catch (Exception e) {
            // TODO: handle exception
            e.printStackTrace();
        }
    }

    public void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        try{
        response.setContentType("text/html");
        out = response.getWriter();
        name=request.getParameter("uname");
        rs=st.executeQuery("select *from details where FIRSTNAME="+name+"");

        out.println("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">");
        out.println("<HTML>");
        out.println("  <HEAD><TITLE>A Servlet</TITLE></HEAD>");
        out.println("  <BODY>");
        while(rs.next()){
            out.println(rs.getString(1)+"  "+rs.getString(2)+"  "+rs.getString(3)+"  "+rs.getString(4));
        }
        out.println("  </BODY>");
        out.println("</HTML>");
        out.flush();
        out.close();
        rs.close();
        }catch (Exception e) {
            // TODO: handle exception
            e.printStackTrace();
        }   
    }

    public void destroy() {
        super.destroy(); // Just puts "destroy" string in log
        try{
            st.close();
            con.close();

        }catch (Exception e) {
            // TODO: handle exception
            e.printStackTrace();
        }
    }

}
  Finally I have table in orcl DB is :
details: FIRSTNAME LASTNAME ADDRESS EMAILID

Error: INFO: Server startup in 1080 ms java.sql.SQLException: ORA-00904: "USHA": invalid identifier

at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:112)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:331)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:288)
at oracle.jdbc.driver.T4C8Oall.receive(T4C8Oall.java:743)
at oracle.jdbc.driver.T4CStatement.doOall8(T4CStatement.java:207)
at oracle.jdbc.driver.T4CStatement.executeForDescribe(T4CStatement.java:790)
at oracle.jdbc.driver.OracleStatement.executeMaybeDescribe(OracleStatement.java:1038)
at oracle.jdbc.driver.T4CStatement.executeMaybeDescribe(T4CStatement.java:830)
at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1133)
at oracle.jdbc.driver.OracleStatement.executeQuery(OracleStatement.java:1273)
at com.myservlets.demo.Servletdb.doGet(Servletdb.java:48)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:859)
at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1555)
at java.lang.Thread.run(Thread.java:619)

Answer 1

This is the problem:

// BROKEN (will give query such as "select * from details where FIRSTNAME=Jon"
rs=st.executeQuery("select *from details where FIRSTNAME="+name+"");

I suspect you meant to add a single quote around the value of name, so that the where clause would be something like where FIRSTNAME='Jon' like this:

// WARNING: DO NOT USE (keep reading) even though it works in simple cases
rs = st.executeQuery("select *from details where FIRSTNAME='" + name + "'");

... but that's still not a good way of solving the problem, because it's vulnerable to SQL injection attacks. Instead, you should use a prepared statement - open the connection, then use:

PreparedStatement query =
    conn.prepareStatement("select * from details where FIRSTNAME=?");
query.setString(1, name);
ResultSet results = query.executeQuery();
...

Note that I would open the connection separately on each request and close it when you're done (with a try-with-resources statement), using a connection pool for efficiency. That's cleaner than trying to share a single connection safely between multiple threads.

See the JDBC tutorial on PreparedStatement for more details about using prepared statements.