String Dept = request.getParameter("dept");
int NumOfEmp = Integer.parseInt(request.getParameter("EmployeeNum"));
if(null != Dept && !Dept.isEmpty()){
// add criteria for Name
query += " AND DeptName = '"+ Dept + "'"; // prefer parametrized query
}
if(NumOfEmp > 0){
// add criteria for Age
query += " AND NumberOfEmployees = "+ NumOfEmp ; // prefer parametrized query
}
System.out.println("QUERY ......... " + query);
pst = c.prepareStatement(query);
形成的查询看起来很好:
这是我得到的:
select DeptName, NumberOfEmployees from Departments where 1 = 1 AND
NumberOfEmployees = 50
查询看起来不错,但是在打印查询后,注意到打印在控制台上。 然后如果我明确地调用了url,它会给出一个例外:
Exception java.lang.NumberFormatException: null
我从ajax传递的数据字符串:
var dataString ={ "EmployeeNum" : "50"};
我如何解决这个问题?这里似乎有什么问题?
编辑:这是完整的代码:
package com.Charts;
/**
* Servlet implementation class DBChart
*/
@WebServlet("/db")
public class DBChart extends HttpServlet
{
Connection c = null;
//Statement st = null;
ResultSet rs = null;
String query = null;
JSONObject obj = null;
JSONObject resobj =null;
PreparedStatement pst = null;
//DatabaseMetaData dbmd = null;
String dbURL="jdbc:sqlserver://localhost:1433; databaseName = EMPLOYEE";
String user = "sa";
String password = "minisiminoni";
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
{
try
{
List<JSONObject> Details = new LinkedList<JSONObject>();
PrintWriter out = response.getWriter();
Class.forName("com.microsoft.sqlserver.jdbc.SQLServerDriver");
c = DriverManager.getConnection(dbURL, user, password);
query = "select DeptName, NumberOfEmployees from Departments where 1 = 1";
String Dept = "";
try
{
Dept = request.getParameter("dept");
}
catch(Exception e)
{
System.out.println("request param dept " + e);
}
String EmployeeNum= "";
try
{
EmployeeNum = request.getParameter("EmployeeNum");
}
catch(Exception e)
{
System.out.println("error in get param" + e );
}
int NumOfEmp;
try {
NumOfEmp = Integer.parseInt(EmployeeNum);
} catch(NumberFormatException e){
StringBuilder sb = new StringBuilder();
sb.append("Error parsing this EployeeNum: ");
sb.append(EmployeeNum);
e.printStackTrace();
throw new RuntimeException(sb.toString());
}
if (Dept != null && !Dept.isEmpty()) {
// add criteria for Name
query += " AND DeptName = '"+ Dept + "'"; // prefer parametrized query
}
if (NumOfEmp > 0) {
// add criteria for Age
query += " AND NumberOfEmployees = "+ NumOfEmp ; // prefer parametrized query
}
System.out.println("QUERY ......... " + query);
pst = c.prepareStatement(query);
resobj = new JSONObject();
while(rs.next())
{
String DeptName = rs.getString(1);
System.out.println("name " + DeptName);
int NumberOfEmployees = rs.getInt(2);
System.out.println("num " + NumberOfEmployees );
obj = new JSONObject();
obj.put("DeptName", DeptName);
obj.put( "NumberOfEmployees",NumberOfEmployees );
Details.add(obj);
}
resobj.put("Details", Details);
out.write(resobj.toString());
}
catch(Exception e)
{
System.out.println("Exception " + e); //only this is where exception is caught
}
}
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doGet(request, response);
}
}
控制台:
INFO: QUERY ......... select DeptName, NumberOfEmployees from Departments where 1 = 1 AND NumberOfEmployees = 50
2015-03-27T14:32:30.604+0530|SEVERE: SLF4J: The requested version 1.6 by your slf4j binding is not compatible with [1.5.5, 1.5.6]
2015-03-27T14:32:30.604+0530|SEVERE: SLF4J: See http://www.slf4j.org/codes.html#version_mismatch for further details.
之后什么都没有:
然后,如果我明确地转到servlet URL,我得到这个:
2015-03-27T14:33:58.670+0530|INFO: Exception java.lang.NumberFormatException: null
这是我的ajax电话:
<script type="text/javascript">
var dataString ={ "EmployeeNum" : "50"};
var queryObject="";
var queryObjectLen="";
console.log("loading");
google.load('visualization', '1.0', {'packages':['corechart']});
google.setOnLoadCallback(function() {
$.ajax({
type : 'POST',
data: dataString,
url : 'http://localhost:8080/Charts/db',
success : function(data) {
alert("success");
queryObject = jQuery.parseJSON(data);
queryObjectLen = queryObject.Details.length;
console.log("queryObj: "+queryObject+" Length: "+queryObjectLen);
drawChart();
},
error : function(xhr, type) {
alert('server error occoured')
}
}).done(function(msg) {
alert("aa gya Response: " + msg);
});
});
答案 0 :(得分:1)
您的代码有很多更正
第一名:SQL查询
你真的需要这个1 = 1它像SQL注入一样...所以删除它
第二版Java代码
A.始终try{}catch(){}代码块可以生成异常;
B.始终打印全面的错误消息;
C.必须使用log4j作为ex;
第3条业务规则
答:您必须检查员工数量是否与预期的相当或相当于零
B.防止SQL代码被SQL注入
尝试使用此代码
String Dept = request.getParameter("dept");
String EmployeeNum = request.getParameter("EmployeeNum");
try {
int NumOfEmp = Integer.parseInt(EmployeeNum);
} catch(NumberFormatException e){
StringBuilder sb = new StringBuilder();
sb.append("Error parsing this EployeeNum: ");
sb.append(EmployeeNum);
e.printStackTrace();
throw new RuntimeException(sb.toString());
}
if (Dept != null && !Dept.isEmpty()) {
// add criteria for Name
query += " AND DeptName = '"+ Dept + "'"; // prefer parametrized query
}
if (NumOfEmp > 0) {
// add criteria for Age
query += " AND NumberOfEmployees = "+ NumOfEmp ; // prefer parametrized query
}
System.out.println("QUERY ......... " + query);
pst = c.prepareStatement(query);