0

jspを初めて使用する場合、jspページにデータベース値を出力しようとします。以下のプログラムは正常に動作しますが、s1="january"とs2="2012"の値を直接出力します。両方のデータ型はVARCHARです。

String QueryString = "SELECT reading,totalcost,paiddate,receiptnumber FROM userseven WHERE readingmonth = '"+s1+"' AND readingyear= '"+s2+"'";

request.getparameter( "t1")(t1 contains january)value request.getparameter( "t2");(t2 contains 2011)を出力しようとすると

それは考えを印刷しません、

String QueryString = "SELECT reading,totalcost,paiddate,receiptnumber FROM userseven WHERE readingmonth = '"+s11+"' AND readingyear= '"+s22+"'";

           <body>
           <form action="yeardb.jsp">
           <table border="1" >
           <tr>
           <td>Select Year</td>
           <td>
           <select name="t1">
           <option value="2013">2013</option>
           <option value="2012">2012</option>
           <option value="2011">2011</option>
           <option value="2010">2010</option>
           </select>
           </td></tr><tr><td>
          <tr><td>Select Month:</td>
          <td>
          <select name="t2"> 
          <option value="january">JANUARY</option>
          <option value="march">March</option>
          <option value="may">May</option>
           <option value="july">JULY</option>
           <option value="aug">AUGUEST</option>
            <option value="oct">OCTOBER</option>
            <option value="dec">DECEMBER</option>
            </select></td></tr><tr><td>
           <input type= "submit" value="submit" >
          </td></tr>
          </table>
           </form>
          </body>



          yeardb.jsp
       ********
        <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
        "http://www.w3.org/TR/html4/loose.dtd">

       <%@page import="com.mysql.jdbc.Driver"%>
       <%@ page import="java.sql.*" %>
       <%@ page import="java.io.*" %> 

      <html>
      <head>
     <title>display data from the table using jsp</title>
      </head>
       <body>
     <h1>welcome</h1>


     <%
     String s11=request.getParameter("t1");
     String s22=request.getParameter("t2");
     String s1="january";
     String s2="2011";
     out.print("i am String"+s11);
     out.print("i am String"+s22);
      out.print("outside try");
     try {
      out.print("inside try");
      String connectionURL = "jdbc:mysql://localhost:3306/horizontal";

      Connection connection = null;

      Statement statement = null;


      ResultSet rs = null;


      Class.forName("com.mysql.jdbc.Driver").newInstance();

      connection = DriverManager.getConnection(connectionURL, "root", "root");
      statement = connection.createStatement();
      out.print("before query");

    String QueryString = "SELECT reading,totalcost,paiddate,receiptnumber FROM userseven WHERE readingmonth = '"+s1+"' AND readingyear= '"+s2+"'";


      out.print("after query");

      rs = statement.executeQuery(QueryString);

%>

  <TABLE cellpadding="15" border="1" style="background-color: #ffffcc;">
  <%
   out.print("outside while");
   while (rs.next()) {
    out.print("inside while");
   %>
      <TR>

      <TD><%=rs.getString(1)%></TD>
      <TD><%=rs.getString(2)%></TD>
      <TD><%=rs.getString(3)%></TD>
      <TD><%=rs.getString(4)%></TD>

     </TR>
    <%   }    %>
    <%
// close all the connections.
    rs.close();
    statement.close();
   connection.close();
      }      catch (Exception ex) {
%>
</font>
<font size="+3" color="red"></b>
    <%
            out.println("Unable to connect to database.");
        }
    %>
    </TABLE><TABLE>
      <TR>

        <button type="submit"><-- back</button></TD>
       </TR>
     </TABLE>
    </font>
4

1 に答える 1

0

私はあなたのコードをもう少し深く調べました、あなたは設定しています:

String s22=request.getParameter("t2");

t2には月が含まれていますが、s2変数には年が含まれています。それらを交換すれば大丈夫です。

 String s11=request.getParameter("t1");  <- This is your year
 String s22=request.getParameter("t2");  <- This is your month
 ....
 String QueryString = "SELECT reading,totalcost,paiddate,receiptnumber FROM userseven WHERE readingmonth = '"+s22+"' AND readingyear= '"+s11+"'";

そうは言っても、パラメータ化されたクエリの使用を実際に検討する必要があります(これはSQLインジェクションに対して脆弱です)-代わりにPreparedStatementの使用を検討してください: 

String QueryString = "SELECT reading,totalcost,paiddate,receiptnumber FROM userseven WHERE readingmonth = ? AND readingyear= ?";
PreparedStatement ps = connection.prepareStatement(QueryString )
ps.setString(1, s22);
ps.setString(2, s11);
rs = ps.executeQuery();

幸運を。

于 2013-01-27T05:55:17.647 に答える