String sql = "update boq set hsn_Code='"+HSN_CODE+"', is_hsnConfirmed='"+HSNCODE_CONFIRMATION+"',gst_rate='"+gst_Rate+"',is_gstRate_confirmed='"+GST_RATE_Confirmation+"',item_Description='"+ITEM_DESC+"',Unit="+_Unit+"',Qty='"+_qty+"', p='"+P+"',w='"+_W+"',v='"+V+"'_where id="+Id+"";
status = stmt.executeUpdate(sql);
Your code is littered with
SQL Injection Vulnerabilities
.
Never Ever should you assemble an SQL query by concatenating strings together. The best thing to do is to use
Parameters
This would give you something like this to work with
String sql = "update boq set hsn_Code=?, is_hsnConfirmed=?,gst_rate=?,is_gstRate_confirmed=?,item_Description=?,Unit=?,Qty=?, p=?,w=?
,v=? where id=?";
PreparedStatement ps = connection.prepareStatement(sql);
ps.setString(1, HSN_CODE);
ps.setString(2, HSNCODE_CONFIRMATION);
ps.setString(3, gst_Rate);
ps.setString(4, GST_RATE_Confirmation);
ps.setString(5, ITEM_DESC);
ps.setString(6, _Unit);
ps.setString(7, _qty);
ps.setString(8, P);
ps.setString(9, _W);
ps.setString(10, V);
ps.setString(11, Id);
boq-form.jsp also should be updated in a similar manner
Reference:
Prepared Statement (Java Platform SE 7 )[
^]