用jsp从数据库中删除数据页面
问题描述:
我正在写一个在线预订系统。我的代码有问题,用户可以通过jsp页面上的取消按钮取消他们的预订。但我的代码不起作用。它不能从数据库中删除数据。我怎样才能做到这一点? 用jsp从数据库中删除数据页面
myreservations.jsp
<%@page contentType="text/html" pageEncoding="UTF-8"%>
<%@ page import ="java.sql.*" %>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Book Ticket</title>
</head>
<body background="http://www.teamarking.com/barcode/bar_background.jpg">
<form method="post" action="reservations.jsp">
<center>
<table border="1" width="30%" height="30%">
<tr>
<th><font color='#D18603'>ActivityID</font></th>
<th><font color='#D18603'>Username</font></th>
<th><font color='#D18603'>Ticket</font></th>
<th><font color='#D18603'>Cancel</font></th>
</tr>
<%
Class.forName("org.apache.derby.jdbc.ClientDriver").newInstance();
Connection con = DriverManager.getConnection("jdbc:derby://localhost:1527/users", "users", "123");
String username = (String) request.getSession().getAttribute("username");
Statement st = con.createStatement();
ResultSet rs;
rs = st.executeQuery("select * from reservation where username='" + username + "'");
while (rs.next()) {
String activityid = rs.getString("id");
username = rs.getString("username");
String buy = rs.getString("buy");
out.println("<tr>");
out.println("<td>" + activityid + "</td>");
out.println("<td>" + username + "</td>");
out.println("<td>" + buy + "</td>");
out.println("<td><b><form action='cancel.jsp'><input type='submit' name='cancel' value='Cancel Reservation'></form></b>");
out.println("</tr>");
}
st.close();
%>
</center>
</table>
<br><a href='success.jsp'>Back</a>
<br><br><a href='logout.jsp'>Log out</a>
</form>
</body>
</html>
cancel.jsp
<%@page contentType="text/html" pageEncoding="UTF-8"%>
<%@ page import ="java.sql.*" %>
<%
String AcivityID = request.getParameter("ActivityID");
String Username = request.getParameter("Username");
String Ticket = request.getParameter("Ticket");
Class.forName("org.apache.derby.jdbc.ClientDriver").newInstance();
Connection con = DriverManager.getConnection("jdbc:derby://localhost:1527/users", "users", "123");
String sorgu = "delete from reservation where id='" + request.getParameter(AcivityID) + "'AND username='" + request.getParameter(Username) + "'AND buy='" + request.getParameter(Ticket) + "'";
java.sql.Statement st = con.createStatement();
int rowNum = st.executeUpdate(sorgu);
response.sendRedirect("cancelled.jsp");
st.close();
%>
答
你需要隐藏的输入字段添加到每个取消的形式来传递其ActivityID被取消的信息。
目前的形式如下:
<form action='cancel.jsp'>
<input type='submit' name='cancel' value='Cancel Reservation'>
</form>
与添加的隐藏字段,它看起来像:
<form action='cancel.jsp'>
<input type='submit' name='cancel' value='Cancel Reservation'>
<input type="hidden" name="activityID" value="25">
</form>
除非你传递给cancel.jsp这些额外的资料片,有不知道许多取消按钮中的哪一个被按下。对用户来说,可能会清楚哪些活动将被取消,但是cancel.jsp位于表单的接收端,并且不知道按钮所在表的哪一列。
如果您希望在SQL语句中拥有用户名,activityID和Ticket,则需要使用隐藏字段传递所有三个值。
jsp内部的java代码只是可怕的想法。 – GurV
加上sql注入漏洞吧 – GurV
刚学jsp – tripley