0

我正在尝试将 HTML 表单中的记录插入 MySQL 数据库。我的 HTML 和 Jquery 已关闭,但我的 Servlet 有问题。我没有立即注意到它有什么问题,但是如果我能在正确的方向上找到一个点,我就可以超越我现在的位置。谢谢

package com.david.servlets;

import java.io.IOException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.SQLException;
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.sql.DataSource;


/**
 * Servlet implementation class myForm
 */

public class myForm extends HttpServlet {

    /**
     * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
     */
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

    }

    public void doPost(HttpServletRequest request, HttpServletResponse response)
        throws ServletException, IOException
        {
              //Get parameters
            String id = request.getParameter("ID");
            String fname = request.getParameter("FirstName");
            String lname = request.getParameter("LastName");


            //Get Connection
            try {
                Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
            } catch (ClassNotFoundException e) {
                // TODO Auto-generated catch block
                e.printStackTrace();
            }
            System.out.println("Found a driver");
            Connection dbConnect = null;
            try {
                dbConnect = getConnection("localhost", 7001);
            } catch (SQLException e) {
                // TODO Auto-generated catch block
                e.printStackTrace();
            } catch (NamingException e) {
                // TODO Auto-generated catch block
                e.printStackTrace();
            }


            System.out.println("Made a connection");


                //Create Query
            String query = "INSERT INTO test.customer (ID, FirstName, LastName) " + 
                    "VALUES (" + id + ", " + fname + ", " + lname + ")";
            PreparedStatement dbStatement = null;
            try {
                dbStatement = dbConnect.prepareStatement(query);
            } catch (SQLException e) {
                // TODO Auto-generated catch block
                e.printStackTrace();
            }
            //Execute Query
            try {
                dbStatement.executeUpdate(query);
            } catch (SQLException e) {
                // TODO Auto-generated catch block
                e.printStackTrace();
            }

            //close connection
            try {
                dbStatement.close();
            } catch (SQLException e) {
                // TODO Auto-generated catch block
                e.printStackTrace();
            }
            try {
                dbConnect.close();
            } catch (SQLException e) {
                // TODO Auto-generated catch block
                e.printStackTrace();
            }

        }





public Connection getConnection(String server, int port)
        throws SQLException, NamingException {
    Context ctx = null;
    Hashtable ht = new Hashtable();
    ht.put(Context.INITIAL_CONTEXT_FACTORY,"weblogic.jndi.WLInitialContextFactory");
    ht.put(Context.PROVIDER_URL, "t3://"+server+":"+port);
    ctx = new InitialContext(ht);
    DataSource ds = (javax.sql.DataSource) ctx.lookup ("localmysql");
    Connection conn =  ds.getConnection();
    //conn.setAutoCommit( true );
    return conn;
}    





}
4

3 回答 3

3

fname您在和lname文本字段周围缺少一些单引号:

String query = "INSERT INTO test.customer (ID, FirstName, LastName) " + 
           "VALUES (" + id + ", '" + fname + "', '" + lname + "')";

注意:最安全的方法是使用PreparedStatement占位符而不是进行String连接。它们不仅可以防止SQL 注入攻击,而且还可以管理引号字符。

String query = "INSERT INTO test.customer (ID, FirstName, LastName) VALUES (?,?,?)";
PreparedStatement dbStatement = dbConnect.prepareStatement(query);
dbStatement.setInt(1, Integer.parseInt(id));
dbStatement.setString(2, fname);
dbStatement.setString(3, lname);

Id字段通常是​​INTEGER 类型)

于 2013-05-07T17:42:49.480 回答
0

除了其他人指出的缺少引号外,我想补充一点,您使用PreparedStatement不正确。您首先准备声明

dbStatement = dbConnect.prepareStatement(query);

然后而不是执行已经准备好的查询

dbStatement.executeUpdate();

您正在不必要地创建一个的并执行它

dbStatement.executeUpdate(query);

这不会导致任何错误或抛出异常,但这是执行 JDBC 的错误方式。

于 2013-05-07T18:24:02.557 回答
0

对我来说看起来不错,但是,您使用的是 PreparedStatement 并没有通过查询构造获得任何好处。有关解决方案,请参阅我的示例代码,如下所示:

   //Get Connection
    try {
        Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
    } catch (ClassNotFoundException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
    System.out.println("Found a driver");
    Connection dbConnect = null;
    try {
        dbConnect = getConnection("localhost", 7001);
    } catch (SQLException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    } catch (NamingException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }


    System.out.println("Made a connection");


        //Create Query
    String query = "INSERT INTO test.customer (ID, FirstName, LastName) VALUES (?,?,?)";
    PreparedStatement dbStatement = null;
    try {
        dbStatement = dbConnect.prepareStatement(query);
    } catch (SQLException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
    // set parameters
    try {
        dbStatement.setString(1, ID);
        dbStatement.setString(2, fname);
        dbStatement.setString(3, lname);
    } catch (SQLException e) {
        e.printStackTrace();
    }
    //Execute Query
    try {
        if (dbStatement.executeUpdate(query) == 0) { 
            System.err.println("Nothing inserted"); 
        }
    } catch (SQLException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }

    //close connection
    try {
        dbStatement.close();
    } catch (SQLException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
    try {
        dbConnect.close();
    } catch (SQLException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }

}
于 2013-05-07T17:44:45.260 回答