运行Servlet时收到错误消息(第1行:“ password”附近的语法不正确。)
[英]Getting Error Message (Line 1: Incorrect syntax near 'password'.) while running Servlet
问题描述
I'm making servlet to work with J2ME, but whenever running this one getting below error message. 
我正在使servlet与J2ME一起使用,但是每当运行此消息时,都会出现以下错误消息。
Error: 错误:
java.sql.SQLException: [Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near 'password'.)
public class GetNpostServlet extends HttpServlet
{
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException
{
// Same code appears in doPost()
// Shown both places to emphasize that data is received thru
// different means (environment variable vs stream),
// yet processed the same inside the servlet
String acct = req.getParameter("account"),
pwd = req.getParameter("password");
String balance = accountLookup(acct, pwd);
if (balance == null)
{
res.sendError(HttpServletResponse.SC_BAD_REQUEST,
"Unable to locate account.");
return;
}
res.setContentType("text/plain");
PrintWriter out = res.getWriter();
out.print(balance);
out.close();
}
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException
{
// Same code appears in doGet()
// Shown both places to emphasize that data is received thru
// different means (stream vs environment variable),
// yet processed the same inside the servlet
String acct = req.getParameter("account"),
pwd = req.getParameter("password");
String balance = accountLookup(acct, pwd);
if (balance == null)
{
res.sendError(HttpServletResponse.SC_BAD_REQUEST,
"Unable to locate account.");
return;
}
res.setContentType("text/plain");
PrintWriter out = res.getWriter();
out.print(balance);
out.close();
}
/*--------------------------------------------------
* Lookup bank account balance in database
*-------------------------------------------------*/
private String accountLookup(String acct, String pwd)
{
Connection con = null;
Statement st = null;
StringBuilder msgb = new StringBuilder("");
try
{
// These will vary depending on your server/database
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
con = DriverManager.getConnection("jdbc:odbc:acctInfo");
Statement stmt = con.createStatement();
ResultSet rs = stmt.executeQuery(
"Select balance from acctInfo where account = " +
acct + "and password = '" + pwd + "'");
if (rs.next())
return rs.getString(1);
else
return null;
}
catch (Exception e)
{
return e.toString();
}
}
}
1 个解决方案
解决方案1
5 2012-05-08 09:05:06
Most immediate problem: you're not quoting the acct string, and there's no space after it, so you'll end up with something like: 最直接的问题:您没有引用acct字符串,并且后面没有空格,因此最终会得到类似以下内容:
Select balance from acctInfo where account = fredand password = 'bloggs'
More important problem: you shouldn't be including values in your SQL like this in the first place. 更为重要的问题:您不应该像这样首先在SQL中包含值。 You should be using parameterized SQL. 您应该使用参数化的SQL。 Currently your code is open to SQL injection attacks . 当前,您的代码可以进行SQL注入攻击 。
Further security problem: Your code suggests that the passwords are being held in plain text. 进一步的安全问题:您的代码建议密码以纯文本格式保存。 Please don't do this. 请不要这样做。
Design problems: 设计问题:
- You appear to be treating an account balance as a string. 您似乎将帐户余额视为一个字符串。 That's odd. 真奇怪
BigDecimalwould be a more natural representation.BigDecimal将是更自然的表示。 - You're catching
Exceptionrather than specific exceptions您正在捕获Exception而不是特定的异常 - You're returning an exception string representation as if it were an account balance . 您将返回异常字符串表示形式,就好像它是帐户余额一样 。 Yikes! 哎呀! You should probably actually just let
SQLExceptionbubble up to the caller您实际上应该只让SQLException冒泡给调用者 - You're never closing the connection, statement or result set 您永远不会关闭连接,语句或结果集
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.