0

我有下面的jsp。

    <%-- 
    Document   : See_Free_Editors
    Created on : Aug 16, 2013, 7:22:30 PM
    Author     : u0138039
--%>

<%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>JSP Page</title> <link rel="stylesheet" href="http://code.jquery.com/ui/1.10.3/themes/smoothness/jquery-ui.css">
        <script type="text/javascript" src="http://code.jquery.com/jquery-1.9.1.js"></script>
        <script type="text/javascript" src="http://code.jquery.com/ui/1.10.3/jquery-ui.js"></script>

        <script type="text/javascript">
            $(function() {
                $(".datepicker").datepicker();
            });
            xmlHttp = new XMLHttpRequest();
            function getUsers()
            {
            xmlHttp.onreadystatechange=
                    function()
            {
                if(xmlHttp.readyState===4 && xmlHttp.status===200)
                    {
                        document.getElementById('b').innerHTML=xmlHttp.responseText; 
                   }
                   else
                       {
                           document.getElementById('b').innerHTML="Waiting";
                       }
            };


            xmlHttp.open("post", "see_frm_DB.jsp", true);
            xmlHttp.send();
 }
        </script>
        <style>
            .ui-widget { font-family: Lucida Grande, Lucida Sans, Arial, sans-serif; font-size: 0.6em; }
        </style>
    </head>
    <body>
        <div id="a">
            <table>
                <tr>
                    <td><label>Date Request received
                        </label>&nbsp;</td>
                    <td><input type='text' class='datepicker' name='date1' id="date1"></td>
                    <td><label>Date Request received
                        </label>&nbsp;</td>
                    <td><input type='text' class='datepicker' name='date2' id="date2"></td>
                    <td><input type="button" id="button" name="button" value="submit" onclick="getUsers();"></td>
                </tr>
            </table>
        </div>
        <div id="b">
        </div>
    </body>
</html>

连接如下。

 <%-- 
    Document   : index
    Created on : Aug 19, 2013, 8:07:29 PM
    Author     : U0138039
--%>

<%@page contentType="text/html" pageEncoding="UTF-8"%>
<%@include file="DBCon.jsp"%>
<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>JSP Page</title>
    </head>
    <body>
        <%
            try{
        String a=request.getParameter("date1");
        String b=request.getParameter("date2");
        out.println(a);
        out.println(b);
        stmt=conn.createStatement();
        sql="select * from [Sheet1$] where [Date Request received] between '"+a+"' and '"+b+"'";
        out.print(sql);
        rs=stmt.executeQuery(sql);
        ResultSetMetaData rsmd = rs.getMetaData();
int columnCount = rsmd.getColumnCount();
       int count = rsmd.getColumnCount();
      conn.commit();
           stmt.close();
           conn.close();
      %>
<table border="1">
    <tr>
        <%
// The column count starts from 1
for (int i = 1; i < columnCount + 1; i++ ) {
  String name = rsmd.getColumnName(i);
  // Do stuff with name%>
  <td nowrap> <%
  out.print(name);%></td>
       <%
}%>
  </tr>
<%
while(rs.next())
{
%>
 <tr>
  <%



 for (int i=1; i<count; i++) {%>

        <td>
            <%=rs.getString(i)%> <%}%>

     <% 
}
      }
            catch(Exception e)
            {
                out.print(e);
            }
      %>
          </td>
 </tr>
</table> 
        %>
    </body>
</html>

当我尝试运行该程序时,出现以下错误。实际上,这些值没有被传递。

 null null select * from [Sheet1$] where [Date Request received] between 'null' and 'null'java.sql.SQLException: [Microsoft][ODBC Excel Driver] Data type mismatch in criteria expression. %>

请让我知道我该如何解决这个问题。

谢谢

4

1 回答 1

1

首先,在 JSP 表单上,您没有在 AJAX 请求中发送 date1/date2 参数,这就是 request.getParameter(...) 为空的原因。要修复它,请将您的更改xmlHttp.send()为:

xmlHttp.send("date1=" + document.getElementById('date1').value + "&date2=" + document.getElementById('date2').value);

其次,在连接 JSP 上,您必须清理您的输入。您当前的代码不会检查是否设置了所需的参数,并且它还允许 SQL 注入攻击,因为您将请求参数直接插入到 SQL 查询中。尝试这样的事情:

String a=request.getParameter("date1");
String b=request.getParameter("date2");

if (a == null || b == null) {
    // bail out here
    out.print('data1 and date2 are required');
} else {
    // use a prepared statement where we can safely insert the parameters
    sql="select * from [Sheet1$] where [Date Request received] between ? and ?";
    stmt=conn.prepareStatement(sql);
    stmt.setString(1, a);
    stmt.setString(2, b);
    rs=stmt.executeQuery();
}
于 2013-08-19T15:50:38.810 回答