Java 无法删除JDBC中的记录

你好，我正在尝试为学校项目创建一些页面。 整个主题是关于创建、删除、搜索和更新度假目的地。我在删除记录时遇到问题。我创建了一个带有表单的html页面，以便接收您要删除的目标的名称。接下来是我创建的java页面的代码。你觉得有什么不对吗？因为无论我尝试什么，记录都不会被删除。谢谢

HTML页面

<html>
    <head>
        <title>Delete</title>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1.0">
    </head>
    <body>
        <h1 align="center">Insert the destination you want to delete</h1>

        <form action="delete.jsp" method="post">
            <input type="text" name="delete">
            <BR>
            <INPUT TYPE="SUBMIT" value="Delete!">
        </form>





    </body>
</html>

删除
插入要删除的目标

JAVA页面：

    <%@page contentType="text/html" pageEncoding="UTF-8"%>
<%@page import="java.sql.*" %>
<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>Delete</title>
    </head>
    <body>


        <%

          String name=request.getParameter("name");
             Class.forName("com.mysql.jdbc.Driver"); 
java.sql.Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/vac",
"user","pass"); 

Statement myStatement=con.createStatement();
String SQLstring="DELETE FROM dest WHERE name= '" +name+ "'";
myStatement.executeUpdate(SQLstring);
myStatement.close();
con.close();
out.println("Destination deleted!"); 

      %>  
    </body>
</html>

删除

根据表单输入名称，我认为参数名称是“delete”，而不是“name”

---

关于。

根据表单输入名称，我认为参数名称是“delete”，而不是“name”

---

关于。

安东尼奥·马丁内斯的回答指出，参数名称不正确（不是

名称

，而是

删除

）。我觉得我必须发布这个答案来指出您的代码所显示的SQL注入风险

您永远不应该以您现在的方式构建查询（使用外部参数构建语句），因为它可以允许注入恶意代码。您应始终使用准备好的语句来处理用户的输入：

String sqlString = "delete from dest where name=?";
/* The question-mark is a place holder for the parameter. 
   Notice that you don't need to enclose it in quotes, 
   the prepared statement will take care about that. */
PreparedStatement ps = con.prepareStatement(sqlString);
/* Notice that nothing is executed here: you're only preparing the
   statement using the SQL string (which includes the place-holder(s)
   for the parameter(s). */
ps.setString(1, delete)
/* Here you assign the parameter(s) value(s) to the prepared statement.
   The parameters are numbered starting from one, and ordered 
   the way they appear in your SQL string. 
   The setXXX() methods of the prepared statement allow you to 
   pass the correct value to the query. Strings, in this case, are 
   properly handled, so any rogue code the user might try to inject will 
   not pass as "executable code", but simply as a string. */
ps.execute();

---

再次，我建议您了解SQL注入攻击：它们是什么，它们带来的风险是什么，以及如何预防它们。

正如Antonio Martinez的回答所指出的，参数名称不正确（不是

名称

，而是

删除

）。我觉得我必须发布这个答案来指出您的代码所显示的SQL注入风险

您永远不应该以您现在的方式构建查询（使用外部参数构建语句），因为它可以允许注入恶意代码。您应始终使用准备好的语句来处理用户的输入：

String sqlString = "delete from dest where name=?";
/* The question-mark is a place holder for the parameter. 
   Notice that you don't need to enclose it in quotes, 
   the prepared statement will take care about that. */
PreparedStatement ps = con.prepareStatement(sqlString);
/* Notice that nothing is executed here: you're only preparing the
   statement using the SQL string (which includes the place-holder(s)
   for the parameter(s). */
ps.setString(1, delete)
/* Here you assign the parameter(s) value(s) to the prepared statement.
   The parameters are numbered starting from one, and ordered 
   the way they appear in your SQL string. 
   The setXXX() methods of the prepared statement allow you to 
   pass the correct value to the query. Strings, in this case, are 
   properly handled, so any rogue code the user might try to inject will 
   not pass as "executable code", but simply as a string. */
ps.execute();

---

同样，我建议您了解SQL注入攻击：它们是什么，它们带来的风险是什么，以及如何预防它们。

html中哪里有“name”参数？另外：您的代码容易受到SQL注入攻击。了解它们以及如何防止它们。html中哪里有“name”参数？另外：您的代码容易受到SQL注入攻击。了解它们以及如何预防它们。