Java Servlet插入MySQL

Question

我試圖從HTML表單插入記錄到MySQL數據庫中。我有HTML和Jquery，但是我的Servlet有問題。我沒有注意到它有什麼不妥，但如果我能在正確的方向得到一個點，我可以通過我目前的位置。感謝

package com.david.servlets; 

import java.io.IOException; 
import java.sql.Connection; 
import java.sql.PreparedStatement; 
import java.sql.SQLException; 
import java.util.Hashtable; 
import javax.naming.Context; 
import javax.naming.InitialContext; 
import javax.naming.NamingException; 
import javax.servlet.ServletException; 
import javax.servlet.http.HttpServlet; 
import javax.servlet.http.HttpServletRequest; 
import javax.servlet.http.HttpServletResponse; 
import javax.sql.DataSource; 


/** 
* Servlet implementation class myForm 
*/ 

public class myForm extends HttpServlet { 

    /** 
    * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response) 
    */ 
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { 

    } 

    public void doPost(HttpServletRequest request, HttpServletResponse response) 
     throws ServletException, IOException 
     { 
       //Get parameters 
      String id = request.getParameter("ID"); 
      String fname = request.getParameter("FirstName"); 
      String lname = request.getParameter("LastName"); 


      //Get Connection 
      try { 
       Class.forName("sun.jdbc.odbc.JdbcOdbcDriver"); 
      } catch (ClassNotFoundException e) { 
       // TODO Auto-generated catch block 
       e.printStackTrace(); 
      } 
      System.out.println("Found a driver"); 
      Connection dbConnect = null; 
      try { 
       dbConnect = getConnection("localhost", 7001); 
      } catch (SQLException e) { 
       // TODO Auto-generated catch block 
       e.printStackTrace(); 
      } catch (NamingException e) { 
       // TODO Auto-generated catch block 
       e.printStackTrace(); 
      } 


      System.out.println("Made a connection"); 


       //Create Query 
      String query = "INSERT INTO test.customer (ID, FirstName, LastName) " + 
        "VALUES (" + id + ", " + fname + ", " + lname + ")"; 
      PreparedStatement dbStatement = null; 
      try { 
       dbStatement = dbConnect.prepareStatement(query); 
      } catch (SQLException e) { 
       // TODO Auto-generated catch block 
       e.printStackTrace(); 
      } 
      //Execute Query 
      try { 
       dbStatement.executeUpdate(query); 
      } catch (SQLException e) { 
       // TODO Auto-generated catch block 
       e.printStackTrace(); 
      } 

      //close connection 
      try { 
       dbStatement.close(); 
      } catch (SQLException e) { 
       // TODO Auto-generated catch block 
       e.printStackTrace(); 
      } 
      try { 
       dbConnect.close(); 
      } catch (SQLException e) { 
       // TODO Auto-generated catch block 
       e.printStackTrace(); 
      } 

     } 





public Connection getConnection(String server, int port) 
     throws SQLException, NamingException { 
    Context ctx = null; 
    Hashtable ht = new Hashtable(); 
    ht.put(Context.INITIAL_CONTEXT_FACTORY,"weblogic.jndi.WLInitialContextFactory"); 
    ht.put(Context.PROVIDER_URL, "t3://"+server+":"+port); 
    ctx = new InitialContext(ht); 
    DataSource ds = (javax.sql.DataSource) ctx.lookup ("localmysql"); 
    Connection conn = ds.getConnection(); 
    //conn.setAutoCommit(true); 
    return conn; 
}  





} 

Answer 1

你缺少圍繞fname和lname文本字段一些單引號：

String query = "INSERT INTO test.customer (ID, FirstName, LastName) " + 
      "VALUES (" + id + ", '" + fname + "', '" + lname + "')"; 

---

注：最安全的方法是使用PreparedStatement佔位符，而不是做String串聯。他們不僅可以防範SQL Injection攻擊，還可以管理報價字符。

String query = "INSERT INTO test.customer (ID, FirstName, LastName) VALUES (?,?,?)"; 
PreparedStatement dbStatement = dbConnect.prepareStatement(query); 
dbStatement.setInt(1, Integer.parseInt(id)); 
dbStatement.setString(2, fname); 
dbStatement.setString(3, lname); 

（Id字段通常整數類型）

Answer 2

看起來好像沒什麼問題，但是，你正在使用PreparedStatement而不是由您的查詢構造獲得任何的好處。有關解決方案，請參閱我的示例代碼，它遵循：

//Get Connection 
    try { 
     Class.forName("sun.jdbc.odbc.JdbcOdbcDriver"); 
    } catch (ClassNotFoundException e) { 
     // TODO Auto-generated catch block 
     e.printStackTrace(); 
    } 
    System.out.println("Found a driver"); 
    Connection dbConnect = null; 
    try { 
     dbConnect = getConnection("localhost", 7001); 
    } catch (SQLException e) { 
     // TODO Auto-generated catch block 
     e.printStackTrace(); 
    } catch (NamingException e) { 
     // TODO Auto-generated catch block 
     e.printStackTrace(); 
    } 


    System.out.println("Made a connection"); 


     //Create Query 
    String query = "INSERT INTO test.customer (ID, FirstName, LastName) VALUES (?,?,?)"; 
    PreparedStatement dbStatement = null; 
    try { 
     dbStatement = dbConnect.prepareStatement(query); 
    } catch (SQLException e) { 
     // TODO Auto-generated catch block 
     e.printStackTrace(); 
    } 
    // set parameters 
    try { 
     dbStatement.setString(1, ID); 
     dbStatement.setString(2, fname); 
     dbStatement.setString(3, lname); 
    } catch (SQLException e) { 
     e.printStackTrace(); 
    } 
    //Execute Query 
    try { 
     if (dbStatement.executeUpdate(query) == 0) { 
      System.err.println("Nothing inserted"); 
     } 
    } catch (SQLException e) { 
     // TODO Auto-generated catch block 
     e.printStackTrace(); 
    } 

    //close connection 
    try { 
     dbStatement.close(); 
    } catch (SQLException e) { 
     // TODO Auto-generated catch block 
     e.printStackTrace(); 
    } 
    try { 
     dbConnect.close(); 
    } catch (SQLException e) { 
     // TODO Auto-generated catch block 
     e.printStackTrace(); 
    } 

} 

Answer 3

除了缺少的報價爲指向別人，我想補充一點，你使用PreparedStatement不正確。你第一次準備語句與

dbStatement = dbConnect.prepareStatement(query); 

，然後不是執行的已經準備查詢

dbStatement.executeUpdate(); 

你創建一個新一個不必要的，並與

執行它

dbStatement.executeUpdate(query); 

這不會原因e任何錯誤或拋出異常，但是執行JDBC的錯誤方法。