无法删除JDBC中的记录
[英]Cannot delete a record in JDBC
问题描述
Hello I am trying to create some pages for a school project. 
您好,我正在尝试为学校项目创建一些页面。 The whole topic is about creating,deleting,searching,updating destinations for vacation. 整个主题是关于创建,删除,搜索,更新度假目的地。 I have a problem in deleting a record. 我在删除记录时遇到问题。 I have created an html page with a form in order to receive the name of the destination that you want to delete. 我创建了一个带有表单的html页面,以便接收要删除的目的地的名称。 Next there is the code of java page i have created. 接下来是我创建的Java页面的代码。 Do you see anything wrong? 你有什么不对吗? Because whatever I am trying the record won't be deleted. 因为无论我尝试什么记录都不会被删除。 Thanks 谢谢
HTML PAGE HTML页面
<html>
<head>
<title>Delete</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
<h1 align="center">Insert the destination you want to delete</h1>
<form action="delete.jsp" method="post">
<input type="text" name="delete">
<BR>
<INPUT TYPE="SUBMIT" value="Delete!">
</form>
</body>
</html>
JAVA PAGE: Java页面:
<%@page contentType="text/html" pageEncoding="UTF-8"%>
<%@page import="java.sql.*" %>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Delete</title>
</head>
<body>
<%
String name=request.getParameter("name");
Class.forName("com.mysql.jdbc.Driver");
java.sql.Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/vac",
"user","pass");
Statement myStatement=con.createStatement();
String SQLstring="DELETE FROM dest WHERE name= '" +name+ "'";
myStatement.executeUpdate(SQLstring);
myStatement.close();
con.close();
out.println("Destination deleted!");
%>
</body>
</html>
2 个解决方案
解决方案1
3 2016-06-03 15:55:00
I think the parameter name is "delete", no "name", according to the form input name. 我认为根据表单输入名称,参数名称是“删除”,没有“名称”。
Regards. 问候。
解决方案2
0 2016-06-03 16:59:00
As noted by Antonio Martinez's answer, the parameter name was incorrect (it's not name but delete ). 正如Antonio Martinez的回答所指出的,参数名称不正确(不是name而是delete )。 I feel I must post this answer to point out the SQL Injection risk your code shows. 我觉得我必须发布此答案以指出您的代码显示的SQL注入风险。
You should never build a query the way you're doing (taking outside parameters to build the statement), because it can allow the injection of rogue code. 您永远不要以自己的方式构建查询(使用外部参数构建语句),因为它可以允许注入恶意代码。 You should always use prepared statements to deal with users' input: 您应该始终使用准备好的语句来处理用户的输入:
String sqlString = "delete from dest where name=?";
/* The question-mark is a place holder for the parameter.
Notice that you don't need to enclose it in quotes,
the prepared statement will take care about that. */
PreparedStatement ps = con.prepareStatement(sqlString);
/* Notice that nothing is executed here: you're only preparing the
statement using the SQL string (which includes the place-holder(s)
for the parameter(s). */
ps.setString(1, delete)
/* Here you assign the parameter(s) value(s) to the prepared statement.
The parameters are numbered starting from one, and ordered
the way they appear in your SQL string.
The setXXX() methods of the prepared statement allow you to
pass the correct value to the query. Strings, in this case, are
properly handled, so any rogue code the user might try to inject will
not pass as "executable code", but simply as a string. */
ps.execute();
Again, I advice you read here to learn about SQL injection attacks: What they are, what is the risk posed by them and how to prevent them. 同样,我建议您在这里阅读有关SQL注入攻击的知识:它们是什么,它们带来的风险是什么以及如何防止它们。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.