import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.sql.*;
import javax.servlet.ServletException;
public class showdata extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse responce)
int s=0;
PrintWriter out = responce.getWriter();
responce.setContentType("text/html");
out.println("<html><body>");
我正在阅读我必须在我的oracle查询中使用的3个变量t,a,b。
String t = request.getParameter("type");
String a = request.getParameter("about");
String b = request.getParameter("bird");
try {
Class.forName("oracle.jdbc.driver.OracleDriver");
Connection con = DriverManager.getConnection(
"jdbc:oracle:thin:@localhost:1521:XE","hr","praveen");
Statement stmt = con.createStatement();
out.println("<html>");
out.println("<body bgcolor='#56A5EC'>");
String query = "select ****** from ******* ;
我必须从表格a中选择列b和t。如何在上面的查询中写出变量名称a,b,t?
ResultSet rs = stmt.executeQuery(query);
catch (Exception e) {
System.out.println(e.getMessage());
}
out.println("</body>");
out.println("</html>");
}
}
答案 0 :(得分:0)
首先阅读Gord Thompson所提到的帖子。
简短的回答是:
String query = "select " + a +","+ b + " from " + t ;
但是,这使您对 sql注入攻击持开放态度。您需要确保这三个变量是合法的列和表名。只允许使用字母,数字,下划线或美元符号。
如果前端没有直接传递名字会更好。相反,传入一个数字,java代码必须“查找”名称。