我在Netbeans和简单的html页面中创建了一个web项目,该页面带有一个下拉菜单,提交后应通过JDBC将从下拉菜单中选择的选项存储在ms访问(DBMS(中。我的问题是,访问只插入所选的第一个选项,而忽略了我也选择的下拉菜单中的其他选项。
<form action="seat" method="get" class="seatselection">
<h3>Select your seat(s):</h3>
<select multiple="multiple" name="op">
<option>Seat Number</option>
<option>11</option>
<option>12</option>
<option>13</option>
<option>14</option>
<option>15</option>
<option>16</option>
<option>17</option>
<option>18</option>
<option>19</option>
</select>
</form>
Servlet:seat.java
Statement smt = conn.createStatement();
int seat = Integer.parseInt(request.getParameter("op"));
int c = smt.executeUpdate("INSERT into TableTest(SeatNumber) values("+seat+")");
out.println("<h3>" + "Record Entered Successfully!!" + "<h3>");
conn.close();
smt.close();
您应该使用getParameterValues("op")。另请参阅https://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html#getParameterValues(java.lang.String(
getParameter("op")仅返回第一个值。
for (String parameterValue : request.getParameterValues("op")) {
int seat = Integer.parseInt(parameterValue);
Statement smt = conn.createStatement();
int seat = Integer.parseInt(request.getParameter("op"));
int c = smt.executeUpdate("INSERT into TableTest(SeatNumber) values("+seat+")");
out.println("<h3>" + "Record Entered Successfully!!" + "<h3>");
smt.close();
}
conn.close();
您可以使用一个预先准备好的语句来改进您的代码:
PreparedStatement stmt = conn.prepareStatement("INSERT into TableTest(SeatNumber) values(?)");
for (...) {
...
stmt.setInt(seat);
int c = stmt.executeUpdate();
...
}
stmt.close();
conn.close()
那么您的代码就可以安全地防止SQL注入。https://www.w3schools.com/sql/sql_injection.asp