select value from sqlserver problem_问答_开发者

开发者 https://www.devze.com 2022-12-11 02:08 出处：网络

i have write code hear i have problem of selecting value from sqlserver i pass the value from nrno is geting by another page

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transition开发者_高级运维al//EN">
<html>
<head>
<title>Untitled</title>
</head>
<body>
<%@ page import="java.sql.*" %>
<%@ page import="java.io.*" %>
<%
String AppURL = request.getContextPath() ;
String thisFile = AppURL+request.getServletPath() ;
int nrno = 0;
try
{
 nrno = Integer.parseInt(request.getParameter("rno"));
}
catch(NumberFormatException ex)
{ 
    nrno = 0;
}
%>
<td>This Is In RoolNo :- <%=nrno%> </td><br>
<%
Class.forName("net.sourceforge.jtds.jdbc.Driver");
Connection conn = DriverManager.getConnection("jdbc:jtds:sqlserver://localhost:1433/sample", "sa", "sa1234");
java.sql.Statement stmt = conn.createStatement();
java.sql.ResultSet rslt = stmt.executeQuery(" SELECT * FROM student where rno = nrno");
while(rslt.next())
     { 
         int id = rslt.getInt(1);
         int rno = rslt.getInt(4);
         String name = rslt.getString(2); 
         String city = rslt.getString(3);
         out.println(id +"<br>" +" " +name + " "+"<br>" + city +"<br>" + rno + "<br>"); 
     }
rslt.close();
stmt.close();
conn.close();
%>
</body>
</html>

java.sql.ResultSet rslt = stmt.executeQuery(" SELECT * FROM student where rno = nrno");

You might want to change that to

java.sql.ResultSet rslt = stmt.executeQuery (" SELECT * FROM student where rno =" + nrno);

coz "nrno" is a variable..

Hope this helps you out...

cheers,

RDJ

the problem is here:

java.sql.ResultSet rslt = stmt.executeQuery(" SELECT * FROM student where rno = nrno");

this results in passing a string SELECT * FROM student where rno = nrno to sqlServer which is not what you want.

you can change it as specified by Richie to

`java.sql.ResultSet rslt = stmt.executeQuery (" SELECT * FROM student where rno =" +` nrno);

Or better use parametrised call as the first approach may be prone to sql Injection

PreparedStatement st = conn.prepareStatement(
            "SELECT * FROM student where rno = ?");
        st.setInt(1, nrno);

In your case you are parssing nrno to int so probably there is no issue with sql injection but it is saver to user parametrised approach anyway (say the parameter type changes to string in some future release)