在开发在线预订系统时,遇到用户通过JSP页面取消预订但无法从数据库删除数据的问题。在myreservations.jsp中,展示了获取用户预订信息的代码。而在cancel.jsp中,尝试根据用户输入的活动ID、用户名和购买信息删除对应记录,但存在SQL注入风险。目前代码执行删除操作失败,需要修复。
我正在写一个在线预订系统。我的代码有问题,用户可以通过jsp页面上的取消按钮取消他们的预订。但我的代码不起作用。它不能从数据库中删除数据。我怎样才能做到这一点? 
用jsp从数据库中删除数据页面
myreservations.jsp
Book Ticket| ActivityID | Username | Ticket | Cancel |
|---|
Class.forName("org.apache.derby.jdbc.ClientDriver").newInstance();
Connection con = DriverManager.getConnection("jdbc:derby://localhost:1527/users", "users", "123");
String username = (String) request.getSession().getAttribute("username");
Statement st = con.createStatement();
ResultSet rs;
rs = st.executeQuery("select * from reservation where username='" + username + "'");
while (rs.next()) {
String activityid = rs.getString("id");
username = rs.getString("username");
String buy = rs.getString("buy");
out.println("
");out.println("
" + activityid + "");out.println("
" + username + "");out.println("
" + buy + "");out.println("
");out.println("
");}
st.close();
%>
cancel.jsp
String AcivityID = request.getParameter("ActivityID");
String Username = request.getParameter("Username");
String Ticket = request.getParameter("Ticket");
Class.forName("org.apache.derby.jdbc.ClientDriver").newInstance();
Connection con = DriverManager.getConnection("jdbc:derby://localhost:1527/users", "users", "123");
String sorgu = "delete from reservation where id='" + request.getParameter(AcivityID) + "'AND username='" + request.getParameter(Username) + "'AND buy='" + request.getParameter(Ticket) + "'";
java.sql.Statement st = con.createStatement();
int rowNum = st.executeUpdate(sorgu);
response.sendRedirect("cancelled.jsp");
st.close();
%>
2016-12-30
tripley
+0
jsp内部的java代码只是可怕的想法。 –
+0
加上sql注入漏洞吧 –
+0
刚学jsp –
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
