我已经编写代码听到我有从sqlserver中选择值的问题我从nrno传递的值是由另一页提交
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Untitled</title>
</head>
<body>
<%@ page import="java.sql.*" %>
<%@ page import="java.io.*" %>
<%
String AppURL = request.getContextPath() ;
String thisFile = AppURL+request.getServletPath() ;
int nrno = 0;
try
{
nrno = Integer.parseInt(request.getParameter("rno"));
}
catch(NumberFormatException ex)
{
nrno = 0;
}
%>
<td>This Is In RoolNo :- <%=nrno%> </td><br>
<%
Class.forName("net.sourceforge.jtds.jdbc.Driver");
Connection conn = DriverManager.getConnection("jdbc:jtds:sqlserver://localhost:1433/sample", "sa", "sa1234");
java.sql.Statement stmt = conn.createStatement();
java.sql.ResultSet rslt = stmt.executeQuery(" SELECT * FROM student where rno = nrno");
while(rslt.next())
{
int id = rslt.getInt(1);
int rno = rslt.getInt(4);
String name = rslt.getString(2);
String city = rslt.getString(3);
out.println(id +"<br>" +" " +name + " "+"<br>" + city +"<br>" + rno + "<br>");
}
rslt.close();
stmt.close();
conn.close();
%>
</body>
</html>
答案 0 :(得分:2)
问题在于:
java.sql.ResultSet rslt = stmt.executeQuery(" SELECT * FROM student where rno = nrno");
这导致将字符串SELECT * FROM student where rno = nrno传递给sqlServer,这不是您想要的。
您可以将其as specified by Richie更改为
`java.sql.ResultSet rslt = stmt.executeQuery (" SELECT * FROM student where rno =" +` nrno);
或者更好地使用参数化调用,因为第一种方法可能倾向于sql Injection
PreparedStatement st = conn.prepareStatement(
"SELECT * FROM student where rno = ?");
st.setInt(1, nrno);
在你的情况下,你正在将nrno解析为int,所以可能没有sql注入的问题,但无论如何它都是用户参数化方法的保护程序(比如在未来的某个版本中参数类型更改为字符串)
答案 1 :(得分:2)
java.sql.ResultSet rslt = stmt.executeQuery(" SELECT * FROM student where rno = nrno");
您可能希望将其更改为
java.sql.ResultSet rslt = stmt.executeQuery (" SELECT * FROM student where rno =" + nrno);
coz“nrno”是一个变量..
希望这可以帮助你...
欢呼声,
RDJ