Javaservlet插入MySQL
我试图将HTML表单中的记录插入MySQL数据库。我已经关闭了HTML和Jquery,但是我的Servlet有问题。我没有立即注意到它有什么问题,但是如果我能在正确的方向上得到一个点,我就可以越过我现在的位置。谢谢Javaservlet插入MySQL,java,mysql,database,servlets,insert,Java,Mysql,Database,Servlets,Insert,我试图将HTML表单中的记录插入MySQL数据库。我已经关闭了HTML和Jquery,但是我的Servlet有问题。我没有立即注意到它有什么问题,但是如果我能在正确的方向上得到一个点,我就可以越过我现在的位置。谢谢 package com.david.servlets; import java.io.IOException; import java.sql.Connection; import java.sql.PreparedStatement; import java.sql.SQLExc
package com.david.servlets;
import java.io.IOException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.SQLException;
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.sql.DataSource;
/**
* Servlet implementation class myForm
*/
public class myForm extends HttpServlet {
/**
* @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
*/
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
//Get parameters
String id = request.getParameter("ID");
String fname = request.getParameter("FirstName");
String lname = request.getParameter("LastName");
//Get Connection
try {
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
} catch (ClassNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
System.out.println("Found a driver");
Connection dbConnect = null;
try {
dbConnect = getConnection("localhost", 7001);
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (NamingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
System.out.println("Made a connection");
//Create Query
String query = "INSERT INTO test.customer (ID, FirstName, LastName) " +
"VALUES (" + id + ", " + fname + ", " + lname + ")";
PreparedStatement dbStatement = null;
try {
dbStatement = dbConnect.prepareStatement(query);
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
//Execute Query
try {
dbStatement.executeUpdate(query);
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
//close connection
try {
dbStatement.close();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
try {
dbConnect.close();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
public Connection getConnection(String server, int port)
throws SQLException, NamingException {
Context ctx = null;
Hashtable ht = new Hashtable();
ht.put(Context.INITIAL_CONTEXT_FACTORY,"weblogic.jndi.WLInitialContextFactory");
ht.put(Context.PROVIDER_URL, "t3://"+server+":"+port);
ctx = new InitialContext(ht);
DataSource ds = (javax.sql.DataSource) ctx.lookup ("localmysql");
Connection conn = ds.getConnection();
//conn.setAutoCommit( true );
return conn;
}
}
在
fname
和lname
文本字段周围缺少一些单引号:
String query = "INSERT INTO test.customer (ID, FirstName, LastName) " +
"VALUES (" + id + ", '" + fname + "', '" + lname + "')";
注意:最安全的方法是使用
PreparedStatement
占位符,而不是执行String
连接。它们不仅可以防止攻击,还可以管理引号字符
String query = "INSERT INTO test.customer (ID, FirstName, LastName) VALUES (?,?,?)";
PreparedStatement dbStatement = dbConnect.prepareStatement(query);
dbStatement.setInt(1, Integer.parseInt(id));
dbStatement.setString(2, fname);
dbStatement.setString(3, lname);
(
Id
字段通常是整数类型)在fname
和lname
文本字段周围缺少一些单引号:
String query = "INSERT INTO test.customer (ID, FirstName, LastName) " +
"VALUES (" + id + ", '" + fname + "', '" + lname + "')";
注意:最安全的方法是使用
PreparedStatement
占位符,而不是执行String
连接。它们不仅可以防止攻击,还可以管理引号字符
String query = "INSERT INTO test.customer (ID, FirstName, LastName) VALUES (?,?,?)";
PreparedStatement dbStatement = dbConnect.prepareStatement(query);
dbStatement.setInt(1, Integer.parseInt(id));
dbStatement.setString(2, fname);
dbStatement.setString(3, lname);
(
Id
字段通常是整数类型)在我看来很好,但是,您使用的是PreparedStatement,而不是通过查询构造获得任何好处。有关解决方案,请参见我的示例代码,如下所示:
//Get Connection
try {
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
} catch (ClassNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
System.out.println("Found a driver");
Connection dbConnect = null;
try {
dbConnect = getConnection("localhost", 7001);
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (NamingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
System.out.println("Made a connection");
//Create Query
String query = "INSERT INTO test.customer (ID, FirstName, LastName) VALUES (?,?,?)";
PreparedStatement dbStatement = null;
try {
dbStatement = dbConnect.prepareStatement(query);
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
// set parameters
try {
dbStatement.setString(1, ID);
dbStatement.setString(2, fname);
dbStatement.setString(3, lname);
} catch (SQLException e) {
e.printStackTrace();
}
//Execute Query
try {
if (dbStatement.executeUpdate(query) == 0) {
System.err.println("Nothing inserted");
}
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
//close connection
try {
dbStatement.close();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
try {
dbConnect.close();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
在我看来很好,但是,您使用的是PreparedStatement,而不是通过查询构造获得任何好处。有关解决方案,请参见我的示例代码,如下所示:
//Get Connection
try {
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
} catch (ClassNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
System.out.println("Found a driver");
Connection dbConnect = null;
try {
dbConnect = getConnection("localhost", 7001);
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (NamingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
System.out.println("Made a connection");
//Create Query
String query = "INSERT INTO test.customer (ID, FirstName, LastName) VALUES (?,?,?)";
PreparedStatement dbStatement = null;
try {
dbStatement = dbConnect.prepareStatement(query);
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
// set parameters
try {
dbStatement.setString(1, ID);
dbStatement.setString(2, fname);
dbStatement.setString(3, lname);
} catch (SQLException e) {
e.printStackTrace();
}
//Execute Query
try {
if (dbStatement.executeUpdate(query) == 0) {
System.err.println("Nothing inserted");
}
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
//close connection
try {
dbStatement.close();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
try {
dbConnect.close();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
除了其他人指出的缺少引号之外,我想补充一点,您使用的
PreparedStatement
不正确。你首先准备的是
dbStatement = dbConnect.prepareStatement(query);
然后执行已经准备好的查询
您不必要地创建了一个新的,并使用
dbStatement.executeUpdate(query);
这不会导致任何错误或抛出异常,但这是执行JDBC的错误方法。除了其他人指出的缺少引号之外,我想补充一点,您使用的
PreparedStatement
不正确。你首先准备的是
dbStatement = dbConnect.prepareStatement(query);
然后执行已经准备好的查询
您不必要地创建了一个新的,并使用
dbStatement.executeUpdate(query);
这不会导致任何错误或抛出异常,但这是执行JDBC的错误方法。它在哪里失败?Stacktraces?它在哪里失败?Stacktraces?这很有效,谢谢,对占位符的建议也很好。这很有效,谢谢,对占位符的建议也很好。一旦我获得更多的声誉,我就会加入=)一旦我获得更多的声誉,我就会加入=)