Java Servlet插入MySQL

Question

我试图从HTML表单插入记录到MySQL数据库中。我有HTML和Jquery，但是我的Servlet有问题。我没有注意到它有什么不妥，但如果我能在正确的方向得到一个点，我可以通过我目前的位置。感谢

package com.david.servlets; 

import java.io.IOException; 
import java.sql.Connection; 
import java.sql.PreparedStatement; 
import java.sql.SQLException; 
import java.util.Hashtable; 
import javax.naming.Context; 
import javax.naming.InitialContext; 
import javax.naming.NamingException; 
import javax.servlet.ServletException; 
import javax.servlet.http.HttpServlet; 
import javax.servlet.http.HttpServletRequest; 
import javax.servlet.http.HttpServletResponse; 
import javax.sql.DataSource; 


/** 
* Servlet implementation class myForm 
*/ 

public class myForm extends HttpServlet { 

    /** 
    * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response) 
    */ 
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { 

    } 

    public void doPost(HttpServletRequest request, HttpServletResponse response) 
     throws ServletException, IOException 
     { 
       //Get parameters 
      String id = request.getParameter("ID"); 
      String fname = request.getParameter("FirstName"); 
      String lname = request.getParameter("LastName"); 


      //Get Connection 
      try { 
       Class.forName("sun.jdbc.odbc.JdbcOdbcDriver"); 
      } catch (ClassNotFoundException e) { 
       // TODO Auto-generated catch block 
       e.printStackTrace(); 
      } 
      System.out.println("Found a driver"); 
      Connection dbConnect = null; 
      try { 
       dbConnect = getConnection("localhost", 7001); 
      } catch (SQLException e) { 
       // TODO Auto-generated catch block 
       e.printStackTrace(); 
      } catch (NamingException e) { 
       // TODO Auto-generated catch block 
       e.printStackTrace(); 
      } 


      System.out.println("Made a connection"); 


       //Create Query 
      String query = "INSERT INTO test.customer (ID, FirstName, LastName) " + 
        "VALUES (" + id + ", " + fname + ", " + lname + ")"; 
      PreparedStatement dbStatement = null; 
      try { 
       dbStatement = dbConnect.prepareStatement(query); 
      } catch (SQLException e) { 
       // TODO Auto-generated catch block 
       e.printStackTrace(); 
      } 
      //Execute Query 
      try { 
       dbStatement.executeUpdate(query); 
      } catch (SQLException e) { 
       // TODO Auto-generated catch block 
       e.printStackTrace(); 
      } 

      //close connection 
      try { 
       dbStatement.close(); 
      } catch (SQLException e) { 
       // TODO Auto-generated catch block 
       e.printStackTrace(); 
      } 
      try { 
       dbConnect.close(); 
      } catch (SQLException e) { 
       // TODO Auto-generated catch block 
       e.printStackTrace(); 
      } 

     } 





public Connection getConnection(String server, int port) 
     throws SQLException, NamingException { 
    Context ctx = null; 
    Hashtable ht = new Hashtable(); 
    ht.put(Context.INITIAL_CONTEXT_FACTORY,"weblogic.jndi.WLInitialContextFactory"); 
    ht.put(Context.PROVIDER_URL, "t3://"+server+":"+port); 
    ctx = new InitialContext(ht); 
    DataSource ds = (javax.sql.DataSource) ctx.lookup ("localmysql"); 
    Connection conn = ds.getConnection(); 
    //conn.setAutoCommit(true); 
    return conn; 
}  





} 

Answer 1

你缺少围绕fname和lname文本字段一些单引号：

String query = "INSERT INTO test.customer (ID, FirstName, LastName) " + 
      "VALUES (" + id + ", '" + fname + "', '" + lname + "')"; 

---

注：最安全的方法是使用PreparedStatement占位符，而不是做String串联。他们不仅可以防范SQL Injection攻击，还可以管理报价字符。

String query = "INSERT INTO test.customer (ID, FirstName, LastName) VALUES (?,?,?)"; 
PreparedStatement dbStatement = dbConnect.prepareStatement(query); 
dbStatement.setInt(1, Integer.parseInt(id)); 
dbStatement.setString(2, fname); 
dbStatement.setString(3, lname); 

（Id字段通常整数类型）

Answer 2

看起来好像没什么问题，但是，你正在使用PreparedStatement而不是由您的查询构造获得任何的好处。有关解决方案，请参阅我的示例代码，它遵循：

//Get Connection 
    try { 
     Class.forName("sun.jdbc.odbc.JdbcOdbcDriver"); 
    } catch (ClassNotFoundException e) { 
     // TODO Auto-generated catch block 
     e.printStackTrace(); 
    } 
    System.out.println("Found a driver"); 
    Connection dbConnect = null; 
    try { 
     dbConnect = getConnection("localhost", 7001); 
    } catch (SQLException e) { 
     // TODO Auto-generated catch block 
     e.printStackTrace(); 
    } catch (NamingException e) { 
     // TODO Auto-generated catch block 
     e.printStackTrace(); 
    } 


    System.out.println("Made a connection"); 


     //Create Query 
    String query = "INSERT INTO test.customer (ID, FirstName, LastName) VALUES (?,?,?)"; 
    PreparedStatement dbStatement = null; 
    try { 
     dbStatement = dbConnect.prepareStatement(query); 
    } catch (SQLException e) { 
     // TODO Auto-generated catch block 
     e.printStackTrace(); 
    } 
    // set parameters 
    try { 
     dbStatement.setString(1, ID); 
     dbStatement.setString(2, fname); 
     dbStatement.setString(3, lname); 
    } catch (SQLException e) { 
     e.printStackTrace(); 
    } 
    //Execute Query 
    try { 
     if (dbStatement.executeUpdate(query) == 0) { 
      System.err.println("Nothing inserted"); 
     } 
    } catch (SQLException e) { 
     // TODO Auto-generated catch block 
     e.printStackTrace(); 
    } 

    //close connection 
    try { 
     dbStatement.close(); 
    } catch (SQLException e) { 
     // TODO Auto-generated catch block 
     e.printStackTrace(); 
    } 
    try { 
     dbConnect.close(); 
    } catch (SQLException e) { 
     // TODO Auto-generated catch block 
     e.printStackTrace(); 
    } 

} 

Answer 3

除了缺少的报价为指向别人，我想补充一点，你使用PreparedStatement不正确。你第一次准备语句与

dbStatement = dbConnect.prepareStatement(query); 

，然后不是执行的已经准备查询

dbStatement.executeUpdate(); 

你创建一个新一个不必要的，并与

执行它

dbStatement.executeUpdate(query); 

这不会原因e任何错误或抛出异常，但是执行JDBC的错误方法。