无法删除JDBC中的记录

时间:2016-06-03 15:49:48

标签: java sql jdbc delete-record

您好我正在尝试为学校项目创建一些页面。 整个主题是关于创建,删除,搜索,更新度假目的地。我在删除记录时遇到问题。我创建了一个带有表单的html页面,以便接收您要删除的目标的名称。接下来是我创建的java页面的代码。你觉得有什么不对吗?因为无论我在尝试什么记录都不会被删除。感谢

HTML PAGE 

<html>
    <head>
        <title>Delete</title>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1.0">
    </head>
    <body>
        <h1 align="center">Insert the destination you want to delete</h1>

        <form action="delete.jsp" method="post">
            <input type="text" name="delete">
            <BR>
            <INPUT TYPE="SUBMIT" value="Delete!">
        </form>





    </body>
</html>

JAVA PAGE: 

    <%@page contentType="text/html" pageEncoding="UTF-8"%>
<%@page import="java.sql.*" %>
<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>Delete</title>
    </head>
    <body>


        <%

          String name=request.getParameter("name");
             Class.forName("com.mysql.jdbc.Driver"); 
java.sql.Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/vac",
"user","pass"); 

Statement myStatement=con.createStatement();
String SQLstring="DELETE FROM dest WHERE name= '" +name+ "'";
myStatement.executeUpdate(SQLstring);
myStatement.close();
con.close();
out.println("Destination deleted!"); 

      %>  
    </body>
</html>

2 个答案:

答案 0 :(得分:3)

我认为参数名称是“delete”,没有“name”,根据表单输入名称。

问候。

答案 1 :(得分:0)

正如Antonio Martinez的回答所指出的,参数名称不正确(它不是name而是delete)。我觉得我必须发布这个答案来指出代码显示的SQL注入风险。

你应该从不以你正在做的方式构建查询(使用外部参数来构建语句),因为它可以允许注入恶意代码。您总是使用预准备语句来处理用户的输入:

String sqlString = "delete from dest where name=?";
/* The question-mark is a place holder for the parameter. 
   Notice that you don't need to enclose it in quotes, 
   the prepared statement will take care about that. */
PreparedStatement ps = con.prepareStatement(sqlString);
/* Notice that nothing is executed here: you're only preparing the
   statement using the SQL string (which includes the place-holder(s)
   for the parameter(s). */
ps.setString(1, delete)
/* Here you assign the parameter(s) value(s) to the prepared statement.
   The parameters are numbered starting from one, and ordered 
   the way they appear in your SQL string. 
   The setXXX() methods of the prepared statement allow you to 
   pass the correct value to the query. Strings, in this case, are 
   properly handled, so any rogue code the user might try to inject will 
   not pass as "executable code", but simply as a string. */
ps.execute();

同样,我建议你read here了解SQL注入攻击:它们是什么,它们带来的风险是什么以及如何防止它们。

相关问题
最新问题