为什么会有Postgres例外?
[英]Why there is Postgres exception?
问题描述
Good afternoon. 
下午好。 I try to connect to database from eclipse's java code. 我尝试从Eclipse的Java代码连接到数据库。 I need to make a request and check if username and password that are typed in the form match each other. 我需要发出请求,并检查在表单中键入的用户名和密码是否彼此匹配。 List of usernames and their passwords is in database named stud_test. 用户名及其密码的列表位于名为stud_test的数据库中。 I need to run gradle and tomcat in order to check if servlet works or not. 我需要运行gradle和tomcat以便检查servlet是否正常工作。 And when I do this and open needed page, I see PSQLExceptions. 当我这样做并打开所需的页面时,我看到了PSQLExceptions。 My code sample is below. 我的代码示例如下。 I can't understand what's the problem. 我不明白是什么问题。
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException,IOException {
Connection con;
ResultSet rs;
String URL = "jdbc:postgresql://localhost:5432/stud_test";
String username = request.getParameter("useruser");
String passwrd = request.getParameter("pass");
response.setContentType("text/html");
try {
con = DriverManager.getConnection(URL, "postgres", "postgres");
Statement st = con.createStatement();
st.executeQuery ("SELECT password FROM stud WHERE user = " + username);
rs = st.getResultSet();
if (passwrd.equals(rs)){
request.getServletContext().getRequestDispatcher(
"/jsp/hello.jsp").forward(request, response);
}
else {
request.getServletContext().getRequestDispatcher("/jsp/fail.jsp").forward(request, response);
}
rs.close ();
st.close ();
}
catch(Exception e) {
System.out.println("Exception is :" + e);
}
}
2 个解决方案
解决方案1
1 2013-10-23 11:23:54
Apart from what Sergiu already mentioned, the following line is not likely to do what you want: 除了Sergiu已经提到的内容外,以下行不太可能做您想要的事情:
st.executeQuery ("SELECT password FROM stud WHERE user = " + username);
If, for example, the username is, say, "carl", then the following statement would be sent to the database: 例如,如果用户名是“ carl”,则将以下语句发送到数据库:
SELECT password FROM stud WHERE user = carl
which, if there is no column named "carl", results in a syntax error. 如果没有名为“ carl”的列,则会导致语法错误。 The "obvious" (and wrong way!) to fix this would be to use 解决此问题的“显而易见”(和错误方法!)将使用
st.executeQuery ("SELECT password FROM stud WHERE user = '" + username + "'");
This may work (at first), but leaves you vulnerable to SQL injections. 这可能会(首先)起作用,但使您容易受到SQL注入的攻击。 The correct way to request the information is to use prepared statements and parameters: 请求信息的正确方法是使用准备好的语句和参数:
final PreparedStatement stm = connection.prepareStatement(
"SELECT password FROM stud WHERE user = ?");
try {
// For each "hole" ("?" symbol) in the SQL statement, you have to provide a
// value before the query can be executed. The holes are numbered from left to
// right, starting with the left-most one being 1. There are a lot of "setXxx"
// methods in the prepared statement interface, and which one you need to use
// depends on the type of the actual parameter value. In this case, we assign a
// string parameter:
stm.setString(1, username);
final ResultSet rs = stm.executeQuery();
try {
if (rs.next()) {
if (password.equals(rs.getString(1))) {
// Yay. Passwords match. User may log in
}
}
} finally {
rs.close();
}
} finally {
stm.close();
}
Yes, talking to a database via JDBC in Java requires a huge amount of boilerplate code. 是的,通过Java中的JDBC与数据库对话需要大量样板代码。 And no, the "obvious" solution is wrong! 不,“显而易见的”解决方案是错误的! wrong! 错误! wrong! 错误!
解决方案2
0 2013-10-23 10:58:03
I think you should have 我想你应该有
if (passwrd.equals(rs.getString(1))){ ... }
assuming the user field is a varchar in the DB. 假设用户字段是数据库中的varchar。
You can not match a string(passwrd) to a ResultSet instance (rs). 您不能将字符串(passwrd)与ResultSet实例(rs)匹配。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.