您好,我正在尝试为学校项目创建一些页面。整个主题是关于创建,删除,搜索,更新度假目的地。我在删除记录时遇到问题。我创建了一个带有表单的html页面,以便接收要删除的目标的名称。接下来是我创建的java页面的代码。你看出有什么不对吗?因为无论我尝试什么,记录都不会被删除。谢谢
网页
<html>
<head>
<title>Delete</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
<h1 align="center">Insert the destination you want to delete</h1>
<form action="delete.jsp" method="post">
<input type="text" name="delete">
<BR>
<INPUT TYPE="SUBMIT" value="Delete!">
</form>
</body>
</html>
爪哇页面:
<%@page contentType="text/html" pageEncoding="UTF-8"%>
<%@page import="java.sql.*" %>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Delete</title>
</head>
<body>
<%
String name=request.getParameter("name");
Class.forName("com.mysql.jdbc.Driver");
java.sql.Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/vac",
"user","pass");
Statement myStatement=con.createStatement();
String SQLstring="DELETE FROM dest WHERE name= '" +name+ "'";
myStatement.executeUpdate(SQLstring);
myStatement.close();
con.close();
out.println("Destination deleted!");
%>
</body>
</html>
我认为根据表单输入名称,参数名称是"删除",没有"名称"。
问候。
正如安东尼奥·马丁内斯的回答所指出的,参数名称不正确(不是name而是delete)。我觉得我必须发布这个答案来指出您的代码显示的SQL注入风险。
永远不应该按照你正在做的方式构建查询(使用外部参数来构建语句),因为它可能允许注入恶意代码。应始终使用预准备语句来处理用户的输入:
String sqlString = "delete from dest where name=?";
/* The question-mark is a place holder for the parameter.
Notice that you don't need to enclose it in quotes,
the prepared statement will take care about that. */
PreparedStatement ps = con.prepareStatement(sqlString);
/* Notice that nothing is executed here: you're only preparing the
statement using the SQL string (which includes the place-holder(s)
for the parameter(s). */
ps.setString(1, delete)
/* Here you assign the parameter(s) value(s) to the prepared statement.
The parameters are numbered starting from one, and ordered
the way they appear in your SQL string.
The setXXX() methods of the prepared statement allow you to
pass the correct value to the query. Strings, in this case, are
properly handled, so any rogue code the user might try to inject will
not pass as "executable code", but simply as a string. */
ps.execute();
同样,我建议您阅读此处以了解SQL注入攻击:它们是什么,它们带来的风险是什么以及如何防止它们。