<%
Connect conn = new Connect();
Statement stmt = conn.getDataConn().createStatement();
String doc = request.getParameter("doc");
ResultSet rs = stmt.executeQuery("SELECT * from consult JOIN patients USING (idpatients) JOIN doctors USING (iddoctors) WHERE dfirstname = '" + doc + "' ");
%>
我在这里使用JSP,参数“doc”具有来自另一页面的值 查询很好,但WHERE部分不起作用。如果我更改WHERE dfirstname ='Alex'它正在工作,但我不想在WHERE部分上设置固定值。
我该怎么做?
伙计们,请检查我的预备陈述是否正确。
<%
String doc = request.getParameter("pedz");
Connection conn = (Connection) this.getServletContext().getAttribute("conn");
String query = "SELECT * FROM consult JOIN doctors USING (iddoctors) JOIN patients USING (idpatients) WHERE dlastname = '"+ doc +"'";
PreparedStatement ps = conn.prepareStatement(query);
request.setAttribute("pedz", doc);
ResultSet rs = ps.executeQuery();
%>
package servlet;
import bean.Consult;
import bean_result.Serology;
import java.io.IOException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class V_Serology extends HttpServlet {
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String pkid = request.getParameter("pname2");
String treatment, age, gender, lname, fname;
String test, result, release_date;
Connection conn = (Connection) this.getServletContext().getAttribute("conn");
String query = "SELECT * FROM consult JOIN patients USING (idpatients) JOIN serology USING (idconsult) WHERE idconsult = ?";
PreparedStatement ps = conn.prepareStatement(query);
ps.setString(1, pkid);
ResultSet rs = ps.executeQuery();
while(rs.next()){
treatment = rs.getString("treatment");
age = rs.getString("birthdate");
gender = rs.getString("gender");
fname = rs.getString("pfirstname");
lname = rs.getString("plastname");
test = rs.getString("test");
result = rs.getString("result");
release_date = rs.getString("release_date");
if (pkid.equals(rs.getString(1))) {
Consult consult = new Consult();
Serology serology = new Serology();
consult.setPkid(pkid);
consult.setGender(gender);
consult.setAge(age);
consult.setFname(fname);
consult.setLname(lname);
consult.setTreatment(treatment);
serology.setTest(test);
serology.setResult(result);
serology.setRelease_date(release_date);
HttpSession session = request.getSession();
session.setAttribute("consult", consult);
session.setAttribute("serology", serology);
response.sendRedirect("carehealth/view_result/result_serology.jsp");
}
else {
response.sendRedirect("errormsg.jsp");
}
}
rs.close();
ps.close();
} catch (Exception e) {
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
}
}
}
这个怎么样?我的servlet,这是准备好声明的正确方法吗?所以如果查询以“?”结尾这意味着它很难注射病毒等?