1. 首頁
  2. 問答
  3. 這個SQL語法有什麼問題?

這個SQL語法有什麼問題?

2012-04-20 164 views
0

我想用java servlet構建註冊系統。並將數據插入到mySQL數據庫中。但是我得到一個語法錯誤。我剛剛讀完Wiley mySQL和Java開發人員指導書。這個SQL語法有什麼問題?

我對servlet編程還不太熟悉,所以如果有簡單的方法可以做,請告訴我。

package com.app.base; 

import java.io.IOException; 
import java.io.PrintWriter; 
import java.sql.Connection; 
import java.sql.DriverManager; 
import java.sql.ResultSet; 
import java.sql.Statement; 

import javax.servlet.RequestDispatcher; 
import javax.servlet.ServletException; 
import javax.servlet.http.HttpServlet; 
import javax.servlet.http.HttpServletRequest; 
import javax.servlet.http.HttpServletResponse; 

import com.app.pojo.*; 

public class RegisterServlet extends HttpServlet{ 

MySqlDB mysql; 

@Override 
public void init() throws ServletException { 
    // TODO Auto-generated method stub 
    mysql = new MySqlDB(); 

} 

@Override 
protected void doPost(HttpServletRequest req, HttpServletResponse resp) 
     throws ServletException, IOException { 

    PrintWriter out = null; 
    //Connection connection = null; 
    //Statement statement; 
    //ResultSet rs; 

    resp.setContentType("text/html"); 
    out = resp.getWriter(); 


    try{ 
     mysql.createConnection(); 
    }catch(Error e){ 
     out.write("Couldn't connect to mysql"); 
    } 
    String fname = req.getParameter("fname"); 
    String lname = req.getParameter("lname"); 
    String email = req.getParameter("email"); 
    String password = req.getParameter("password"); 
    String city = req.getParameter("city"); 
    String country = req.getParameter("country"); 

    if(fname == null){ 
     String destination = "signup.jsp?error=Complete All Fields"; 
     RequestDispatcher rd = getServletContext().getRequestDispatcher(destination); 
     rd.forward(req, resp); 
    }else if(lname == null){ 
     String destination = "signup.jsp?error=Complete All Fields"; 
     RequestDispatcher rd = getServletContext().getRequestDispatcher(destination); 
     rd.forward(req, resp); 
    }else if(email == null){ 
     String destination = "signup.jsp?error=Complete All Fields"; 
     RequestDispatcher rd = getServletContext().getRequestDispatcher(destination); 
     rd.forward(req, resp); 
    }else if(password == null){ 
     String destination = "signup.jsp?error=Complete All Fields"; 
     RequestDispatcher rd = getServletContext().getRequestDispatcher(destination); 
     rd.forward(req, resp); 
    }else if(city == null){ 
     String destination = "signup.jsp?error=Complete All Fields"; 
     RequestDispatcher rd = getServletContext().getRequestDispatcher(destination); 
     rd.forward(req, resp); 
    }else if(country == null){ 
     String destination = "signup.jsp?error=Complete All Fields"; 
     RequestDispatcher rd = getServletContext().getRequestDispatcher(destination); 
     rd.forward(req, resp); 
    }else{ 

     String sql = "INSERT INTO main.users(first_name, last_name, email, password, city, country, registered_time) VALUES(" 
       + fname +", "+ lname + ", "+ email +", " + password +", " + city +"," + country + ",Now());"; 
     int answer = mysql.insertSQL(sql); 
     if(answer == 1){ 
      resp.sendRedirect("index.jsp?registered=true"); 
      //String destination = "index.jsp?registered=true"; 
      //RequestDispatcher rd = getServletContext().getRequestDispatcher(destination); 
      //rd.forward(req, resp); 
     } 
    } 


} 

}

這是MySql類來連接。

package com.app.pojo; 

import java.sql.Connection; 
import java.sql.DriverManager; 
import java.sql.ResultSet; 
import java.sql.SQLException; 
import java.sql.Statement; 

public class MySqlDB{ 

private static String username = "root", password = "root"; 

public Connection createConnection(){ 
    Connection connection = null; 
    try{ 
     //Load the JDBC driver 
     Class.forName("com.mysql.jdbc.Driver"); 

     connection = DriverManager.getConnection("jdbc:mysql://localhost:3306,/main", username, password); 
     //Create a connection to the database 


    }catch(SQLException ex){ 
     System.out.println(ex); 
    }catch(ClassNotFoundException e){ 
     System.out.println(e); 
    } 

    return connection; 
} 

public void runSqlStatement(String sql){ 
    try{ 
     Statement statement = createConnection().createStatement(); 
     //statement executeQuery(Query) 
     boolean rs = statement.execute(sql); 
    }catch(SQLException ex){ 
     System.out.println(ex); 
    } 
} 

public ResultSet executeSQL(String sql){ 

    Statement statement = null; 
    ResultSet rs = null; 

    try{ 
     statement = createConnection().createStatement(); 
     rs = statement.executeQuery(sql); 

     /*while(rs.next()){ 
      System.out.println(rs.getString(1)); 
     }*/ 


    //   rs.close(); 
    //   statement.close(); 
    }catch (SQLException e) { 
     System.out.println(e); 
    } 

    return rs; 
} 

public int insertSQL(String sql){ 

    int rs; 

    try{ 
     Statement statement = createConnection().createStatement(); 
     rs = statement.executeUpdate(sql); 
     return rs; 

    }catch(SQLException ex){ 
     System.out.println(ex); 
     return 0; 
    } 


} 
}

這是tomcat的控制檯

INFO: Reloading Context with name [/Map] has started 
Apr 21, 2012 12:59:14 AM org.apache.catalina.loader.WebappClassLoader clearReferencesJdbc 
SEVERE: The web application [/Map] registered the JDBC driver [com.mysql.jdbc.Driver] but failed to unregister it when the web application was stopped. To prevent a memory leak, the JDBC Driver has been forcibly unregistered. 
Apr 21, 2012 12:59:17 AM org.apache.catalina.core.StandardContext reload 
INFO: Reloading Context with name [/Map] is completed 

com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '********,Colombo,Sri Lanka,Now())' at line 1

來源

2012-04-20 Isuru

+5

我不是一個java傢伙,但是這看起來很容易被注入。 – 2012-04-20 19:53:02

+0

@JeremyHolovacs是對的。你應該使用'PreparedStatement'來代替。 – Ozzy 2012-04-20 19:54:00

回答

2

嘗試......

Connection con = mysql.createConnection(); 
String sql = "INSERT INTO main.users(first_name, last_name, email, password, city, 
country, registered_time) VALUES(?, ?, ?, ?, ?, ?, ?);"; 
PreparedStatement insertStatement = con.prepareStatement(sql); 
insertStatement.setString(1, first_name); 
insertStatement.setString(2, last_name); 
insertStatement.setString(3, email); 
insertStatement.setString(4, password); 
insertStatement.setString(5, city); 
insertStatement.setString(6, country); 
insertStatement.setString(7, new Date()); 
insertStatement.execute();

問候。

來源

2012-11-07 13:20:27

6

你需要逃出/報價,您有串在你VALUES部分。您的JDBC驅動程序將爲您執行此操作,例如using a PreparedStatement

請注意,如果您保留現有代碼或只是添加周圍的引號,則您確實存在SQL injection attack的危險。

來源

2012-04-20 19:53:25

0

試着把單引號放在你的變量中。

例:

VALUES('" + myString + "', '" + myOtherString + "')

來源

2012-04-20 19:53:31 PaulG

-1 
Colombo,Sri Lanka,Now())' at line 1

看起來像你缺少你周圍的字符串單引號。

來源

2012-04-20 19:53:38

0 
String sql = "INSERT INTO main.users(first_name, last_name, email, password, city, country, registered_time) VALUES('" 
       + fname +"', '"+ lname + "', '"+ email +"', '" + password +"',' " + city +"','" + country + "',Now())";

來源

2012-04-20 19:55:14 shashankaholic

+0

-1:仍然容易受到SQL注入的影響。不要這樣做 – 2012-04-20 21:19:10

+0

@MarkRotteveel雖然這是真的,但這個問題並沒有與SQL注入有任何關係。這確實回答了他爲什麼會得到例外的問題。 – 2012-04-20 21:22:29

+1

@JamesMontagne我認爲,在利用SQL注入之前教育人們比通過給出一個壞的和危險的答案來回答問題更重要。 – 2012-04-20 21:26:07

相關問題

 相關問題