从数据库

时间:2017-01-02 13:24:28

标签: java mysql jsp

您好我正在编写一个代码,人们可以使用jsp从数据库中搜索活动。当我执行程序时,我可以成功地根据类型,描述,位置,城市和日期进行搜索。我可以在页面上看到数据。但是当我填写两个或三个标准或等等时,程序运行得不好。例如,如果我将类型填充为“音乐”并将城市填充为“伊斯坦布尔”,则程序将查找伊斯坦布尔的所有音乐活动和所有活动。我认为我的SQL查询是错误的。如果我将查询更改为OR,则必须填写所有字段。否则它返回空表。但是用户可以填写两个标准或三个标准等。这取决于用户。如果用户填写类型为“音乐”而城市填写为“伊斯坦布尔”,则该程序必须仅显示伊斯坦布尔的音乐活动。我该怎么办?什么是正确的代码? enter image description here

enter image description here

search.jsp的

<%@page contentType="text/html" pageEncoding="UTF-8"%>
<%@ page import ="java.sql.*" %>




<!DOCTYPE html>
<html>
<body background="http://www.teamarking.com/barcode/bar_background.jpg"> 
    <form method="post" action="reservations.jsp">

        <head>
            <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>Book Ticket</title>
    </head>

    <center>    
        <table border="1" width="30%" height="30%">
            <th><font color='#D18603'>id</font>
            <th><font color='#D18603'>Type</font></th>
            <th><font color='#D18603'>Description</font></th>
            <th><font color='#D18603'>City</font></th>
            <th><font color='#D18603'>Location</font></th>
            <th><font color='#D18603'>Date</font></th>
            <th><font color='#D18603'>Price</font></th>
            <th><font color='#D18603'>Time</font></th>

            <th><font color='#D18603'>Buy</font>





                <%
                    Class.forName("org.apache.derby.jdbc.ClientDriver").newInstance();
                    Connection con = DriverManager.getConnection("jdbc:derby://localhost:1527/users", "users", "123");

                    Statement st = con.createStatement();
                    ResultSet rs;

                    PreparedStatement ps = con.prepareStatement("select * from activities where type=? OR description=? OR city=? OR  location=? OR date=? OR time=?");
                    ps.setString(1, request.getParameter("type"));
                    ps.setString(2, request.getParameter("description"));
                    ps.setString(3, request.getParameter("city"));
                    ps.setString(4, request.getParameter("location"));
                    ps.setString(5, request.getParameter("date"));
                    ps.setString(6, request.getParameter("time"));

                    rs = ps.executeQuery();
                    while (rs.next()) {

                        out.println("<tr>");
                        out.println("<form action='reservations.jsp'>");
                        out.println("<td>" + rs.getString("id") + "<input type='hidden' name='id' value='" + rs.getString("id") + "'></td>");
                        out.println("<td>" + rs.getString("type") + "<input type='hidden' name='type' value='" + rs.getString("type") + "'></td>");
                        out.println("<td>" + rs.getString("description") + "<input type='hidden' name='description' value='" + rs.getString("description") + "'></td>");
                        out.println("<td>" + rs.getString("city") + "<input type='hidden' name='city' value='" + rs.getString("city") + "'></td>");
                        out.println("<td>" + rs.getString("location") + "<input type='hidden' name='location' value='" + rs.getString("location") + "'></td>");
                        out.println("<td>" + rs.getString("date") + "<input type='hidden' name='date' value='" + rs.getString("date") + "'></td>");
                        out.println("<td>" + rs.getString("price") + "<input type='hidden' name='price' value='" + rs.getString("price") + "'></td>");
                        out.println("<td>" + rs.getString("time") + "<input type='hidden' name='time' value='" + rs.getString("time") + "'></td>");

                        out.println("<td><b><form action='reservations.jsp'><select name='buy'><option value='1'>1</option><option value='2'>2</option><option value='3'>3</option><option value='4'>4</option><option value='5'>5</option></select><input type='submit' value='Submit'></form></b>");

                        out.println("</tr>");

                    }
                    st.close();

                %>


                </center>
        </table>

        <br>  <br><a href='success.jsp'>Back</a>
        <br><br><a href='logout.jsp'>Log out</a>
</form>
</body>
</html>

1 个答案:

答案 0 :(得分:2)

你想像这样动态创建sql:

String type = request.getParameter("type");
String description = request.getParameter("description");
String city = request.getParameter("city");
String location = request.getParameter("location");
String date = request.getParameter("date");
String time = request.getParameter("time");

// Check all the parameters for potential SQL injection attack here

StringBuilder sql = new StringBuilder("Select * from activities where 1 = 1");
if(type != null && type.trim().length() != 0)
    sql.append(" and type = '").append(type).append("'");
if(description != null && description.trim().length() != 0)
    sql.append(" and description = '").append(description).append("'");
if(city != null && city.trim().length() != 0)
    sql.append(" and city = '").append(city).append("'");
if(location != null && location.trim().length() != 0)
    sql.append(" and location = '").append(location).append("'");
if(date != null && date.trim().length() != 0)
    sql.append(" and date = '").append(date).append("'");
if(time != null && time.trim().length() != 0)
    sql.append(" and time= '").append(time).append("'");

Statement st = conn.createStatement();
ResultSet rs = st.executeQuery(sql.toString());
相关问题
最新问题