我有以下jsp。
<%--
Document : See_Free_Editors
Created on : Aug 16, 2013, 7:22:30 PM
Author : u0138039
--%>
<%@page contentType="text/html" pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>JSP Page</title> <link rel="stylesheet" href="http://code.jquery.com/ui/1.10.3/themes/smoothness/jquery-ui.css">
<script type="text/javascript" src="http://code.jquery.com/jquery-1.9.1.js"></script>
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.3/jquery-ui.js"></script>
<script type="text/javascript">
$(function() {
$(".datepicker").datepicker();
});
xmlHttp = new XMLHttpRequest();
function getUsers()
{
xmlHttp.onreadystatechange=
function()
{
if(xmlHttp.readyState===4 && xmlHttp.status===200)
{
document.getElementById('b').innerHTML=xmlHttp.responseText;
}
else
{
document.getElementById('b').innerHTML="Waiting";
}
};
xmlHttp.open("post", "see_frm_DB.jsp", true);
xmlHttp.send();
}
</script>
<style>
.ui-widget { font-family: Lucida Grande, Lucida Sans, Arial, sans-serif; font-size: 0.6em; }
</style>
</head>
<body>
<div id="a">
<table>
<tr>
<td><label>Date Request received
</label> </td>
<td><input type='text' class='datepicker' name='date1' id="date1"></td>
<td><label>Date Request received
</label> </td>
<td><input type='text' class='datepicker' name='date2' id="date2"></td>
<td><input type="button" id="button" name="button" value="submit" onclick="getUsers();"></td>
</tr>
</table>
</div>
<div id="b">
</div>
</body>
</html>
,连接如下。
<%--
Document : index
Created on : Aug 19, 2013, 8:07:29 PM
Author : U0138039
--%>
<%@page contentType="text/html" pageEncoding="UTF-8"%>
<%@include file="DBCon.jsp"%>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>JSP Page</title>
</head>
<body>
<%
try{
String a=request.getParameter("date1");
String b=request.getParameter("date2");
out.println(a);
out.println(b);
stmt=conn.createStatement();
sql="select * from [Sheet1$] where [Date Request received] between '"+a+"' and '"+b+"'";
out.print(sql);
rs=stmt.executeQuery(sql);
ResultSetMetaData rsmd = rs.getMetaData();
int columnCount = rsmd.getColumnCount();
int count = rsmd.getColumnCount();
conn.commit();
stmt.close();
conn.close();
%>
<table border="1">
<tr>
<%
// The column count starts from 1
for (int i = 1; i < columnCount + 1; i++ ) {
String name = rsmd.getColumnName(i);
// Do stuff with name%>
<td nowrap> <%
out.print(name);%></td>
<%
}%>
</tr>
<%
while(rs.next())
{
%>
<tr>
<%
for (int i=1; i<count; i++) {%>
<td>
<%=rs.getString(i)%> <%}%>
<%
}
}
catch(Exception e)
{
out.print(e);
}
%>
</td>
</tr>
</table>
%>
</body>
</html>
当我尝试运行此程序时,我收到以下错误。实际上,这些值没有通过。
null null select * from [Sheet1$] where [Date Request received] between 'null' and 'null'java.sql.SQLException: [Microsoft][ODBC Excel Driver] Data type mismatch in criteria expression. %>
请让我知道如何解决这个问题。
由于
答案 0 :(得分:1)
首先,在表单JSP上,您没有在AJAX请求中发送date1 / date2参数,这就是request.getParameter(...)为null的原因。要解决此问题,请将xmlHttp.send()
更改为:
xmlHttp.send("date1=" + document.getElementById('date1').value + "&date2=" + document.getElementById('date2').value);
其次,在连接JSP上,您必须清理输入。您当前的代码不会检查是否设置了所需的参数,并且还允许SQL注入攻击,因为您将请求参数直接插入到SQL查询中。尝试这样的事情:
String a=request.getParameter("date1");
String b=request.getParameter("date2");
if (a == null || b == null) {
// bail out here
out.print('data1 and date2 are required');
} else {
// use a prepared statement where we can safely insert the parameters
sql="select * from [Sheet1$] where [Date Request received] between ? and ?";
stmt=conn.prepareStatement(sql);
stmt.setString(1, a);
stmt.setString(2, b);
rs=stmt.executeQuery();
}