[英]What's wrong with this SQL syntax?
I am trying to build registration system with java servlet. 我正在尝试使用Java Servlet构建注册系统。 And insert data into a mySQL database.
并将数据插入到mySQL数据库中。 But I get a syntax error.
但是我收到语法错误。 I just finished reading Wiley mySQL and Java developers guide book.
我刚读完Wiley mySQL和Java开发人员指南书。
And I am kinda new to servlet programming, so if there is easy way to do things I do please tell me. 而且我是servlet编程的新手,因此,如果有简单的方法可以执行操作,请告诉我。
package com.app.base;
import java.io.IOException;
import java.io.PrintWriter;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.Statement;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.app.pojo.*;
public class RegisterServlet extends HttpServlet{
MySqlDB mysql;
@Override
public void init() throws ServletException {
// TODO Auto-generated method stub
mysql = new MySqlDB();
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
PrintWriter out = null;
//Connection connection = null;
//Statement statement;
//ResultSet rs;
resp.setContentType("text/html");
out = resp.getWriter();
try{
mysql.createConnection();
}catch(Error e){
out.write("Couldn't connect to mysql");
}
String fname = req.getParameter("fname");
String lname = req.getParameter("lname");
String email = req.getParameter("email");
String password = req.getParameter("password");
String city = req.getParameter("city");
String country = req.getParameter("country");
if(fname == null){
String destination = "signup.jsp?error=Complete All Fields";
RequestDispatcher rd = getServletContext().getRequestDispatcher(destination);
rd.forward(req, resp);
}else if(lname == null){
String destination = "signup.jsp?error=Complete All Fields";
RequestDispatcher rd = getServletContext().getRequestDispatcher(destination);
rd.forward(req, resp);
}else if(email == null){
String destination = "signup.jsp?error=Complete All Fields";
RequestDispatcher rd = getServletContext().getRequestDispatcher(destination);
rd.forward(req, resp);
}else if(password == null){
String destination = "signup.jsp?error=Complete All Fields";
RequestDispatcher rd = getServletContext().getRequestDispatcher(destination);
rd.forward(req, resp);
}else if(city == null){
String destination = "signup.jsp?error=Complete All Fields";
RequestDispatcher rd = getServletContext().getRequestDispatcher(destination);
rd.forward(req, resp);
}else if(country == null){
String destination = "signup.jsp?error=Complete All Fields";
RequestDispatcher rd = getServletContext().getRequestDispatcher(destination);
rd.forward(req, resp);
}else{
String sql = "INSERT INTO main.users(first_name, last_name, email, password, city, country, registered_time) VALUES("
+ fname +", "+ lname + ", "+ email +", " + password +", " + city +"," + country + ",Now());";
int answer = mysql.insertSQL(sql);
if(answer == 1){
resp.sendRedirect( "index.jsp?registered=true");
//String destination = "index.jsp?registered=true";
//RequestDispatcher rd = getServletContext().getRequestDispatcher(destination);
//rd.forward(req, resp);
}
}
}
}
And this is the MySql Class to connect. 这是要连接的MySql类。
package com.app.pojo;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
public class MySqlDB{
private static String username = "root", password = "root";
public Connection createConnection(){
Connection connection = null;
try{
//Load the JDBC driver
Class.forName("com.mysql.jdbc.Driver");
connection = DriverManager.getConnection("jdbc:mysql://localhost:3306,/main", username, password);
//Create a connection to the database
}catch(SQLException ex){
System.out.println(ex);
}catch(ClassNotFoundException e){
System.out.println(e);
}
return connection;
}
public void runSqlStatement(String sql){
try{
Statement statement = createConnection().createStatement();
//statement executeQuery(Query)
boolean rs = statement.execute(sql);
}catch(SQLException ex){
System.out.println(ex);
}
}
public ResultSet executeSQL(String sql){
Statement statement = null;
ResultSet rs = null;
try{
statement = createConnection().createStatement();
rs = statement.executeQuery(sql);
/*while(rs.next()){
System.out.println(rs.getString(1));
}*/
// rs.close();
// statement.close();
}catch (SQLException e) {
System.out.println(e);
}
return rs;
}
public int insertSQL(String sql){
int rs;
try{
Statement statement = createConnection().createStatement();
rs = statement.executeUpdate(sql);
return rs;
}catch(SQLException ex){
System.out.println(ex);
return 0;
}
}
}
This is the tomcat console 这是tomcat控制台
INFO: Reloading Context with name [/Map] has started
Apr 21, 2012 12:59:14 AM org.apache.catalina.loader.WebappClassLoader clearReferencesJdbc
SEVERE: The web application [/Map] registered the JDBC driver [com.mysql.jdbc.Driver] but failed to unregister it when the web application was stopped. To prevent a memory leak, the JDBC Driver has been forcibly unregistered.
Apr 21, 2012 12:59:17 AM org.apache.catalina.core.StandardContext reload
INFO: Reloading Context with name [/Map] is completed
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '********,Colombo,Sri Lanka,Now())' at line 1
You need to escape/quote the strings you have in your VALUES
section. 您需要对
VALUES
部分中的字符串进行转义/引用。 Your JDBC driver will do this for you, for instance using a PreparedStatement
. JDBC驱动程序将为您执行此操作,例如使用
PreparedStatement
。
Note that you are in real danger of a SQL injection attack if you leave your code as-is, or just add surrounding quotes. 请注意,如果您按原样保留代码或仅添加引号,则可能会面临SQL注入攻击的危险。
Try this... 尝试这个...
Connection con = mysql.createConnection();
String sql = "INSERT INTO main.users(first_name, last_name, email, password, city,
country, registered_time) VALUES(?, ?, ?, ?, ?, ?, ?);";
PreparedStatement insertStatement = con.prepareStatement(sql);
insertStatement.setString(1, first_name);
insertStatement.setString(2, last_name);
insertStatement.setString(3, email);
insertStatement.setString(4, password);
insertStatement.setString(5, city);
insertStatement.setString(6, country);
insertStatement.setString(7, new Date());
insertStatement.execute();
Greetings. 问候。
Try putting single quotes around your variables. 尝试在变量周围加上单引号。
Ex: 例如:
VALUES('" + myString + "', '" + myOtherString + "')
String sql = "INSERT INTO main.users(first_name, last_name, email, password, city, country, registered_time) VALUES('"
+ fname +"', '"+ lname + "', '"+ email +"', '" + password +"',' " + city +"','" + country + "',Now())";
Colombo,Sri Lanka,Now())' at line 1
好像您在字符串周围缺少单引号。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.