JSP + SQL(使用赞)
JSP + SQL (Using Like)
JSP 文件:
<form action="PatientsController?cmd=search" method="post">
<input type="text" name="search" placeholder="Search here.."
class="form-control text-box single-line">
<select name="select">
<option value="id">Id</option>
<option value="name">Name</option>
<option value="address">Address</option>
<option value="cpf">Cpf</option>
<option value="phone">Phone</option>
<option value="birthDate">Birth Date</option>
<option value="gender">Gender</option>
</select>
</form>
Servlet:
List<Patient> list = new PatientDao().indexFilter(
request.getParameter("select"),
request.getParameter("search"));
request.setAttribute("new", list);
request.getRequestDispatcher("Index.jsp")
.forward(request, response);
PatientDAO:
public List<Patient> indexFilter(String attribute, String condition)
throws Exception {
open();
ps = con.prepareStatement("SELECT * FROM patients WHERE ? like ? ORDER BY id");
ps.setString(1, attribute);
ps.setString(2, "%" + condition + "%");
rs = ps.executeQuery();
List<Patient> list = new ArrayList<Patient>();
while (rs.next())
list.add(newPatientSetted());
ps.close();
close();
return list;
}
private Patient newPatientSetted() throws Exception {
return new Patient(rs.getInt(1), rs.getString(2), rs.getString(3),
rs.getString(4), rs.getString(5), rs.getDate(6), rs
.getString(7).equals("M") ? Gender.M : Gender.F);
}
所以,我有一个问题,我不知道但是查询没有返回任何内容(我在 DAO 中调试并且它没有加入 while 循环 - 换句话说,结果集没有 next() ), 我究竟做错了什么?如果我删除“?”在 "Where" 并手动添加属性后,LIKE 运算符起作用。
SQL参数只允许出现在有意义的地方'value'。被拒绝代替 table 或列。
"SELECT * FROM patients WHERE ? like ? ORDER BY id" -- bad, field 'substitution' is not alowed
"SELECT * FROM ? WHERE id like ? ORDER BY id" -- bad, column is not alowed
"SELECT * FROM patients WHERE Name like ? ORDER BY id" -- OK,
背景。让我们想象一下 sql 服务器准备查询以达到更高的速度。无法对未知列或字段进行优化。它唯一的图像可以更好地理解。
严格:被标准拒绝。
编辑:扩展答案,如何实现你的目标:
String qry = "SELECT * FROM patients WHERE "+attribute +" like ? ORDER BY id";
ps = con.prepareStatement(qry);
ps.setString(1, "%" + condition + "%");
rs = ps.executeQuery();
当你准备一个语句时,数据库会构建一个执行计划,如果 table 或列不存在,它就无法执行。换句话说,placehodlers 只能用于 values 而不能用于对象名称或保留字。在这种情况下,您必须依靠 Java 来构造您的字符串
String sql = "SELECT * FROM patients WHERE "+attribute+" like ? ORDER BY id ";
ps = con.prepareStatement(sql);
ps.setString(1, "%" + condition + "%");
rs = ps.executeQuery();
JSP 文件:
<form action="PatientsController?cmd=search" method="post">
<input type="text" name="search" placeholder="Search here.."
class="form-control text-box single-line">
<select name="select">
<option value="id">Id</option>
<option value="name">Name</option>
<option value="address">Address</option>
<option value="cpf">Cpf</option>
<option value="phone">Phone</option>
<option value="birthDate">Birth Date</option>
<option value="gender">Gender</option>
</select>
</form>
Servlet:
List<Patient> list = new PatientDao().indexFilter(
request.getParameter("select"),
request.getParameter("search"));
request.setAttribute("new", list);
request.getRequestDispatcher("Index.jsp")
.forward(request, response);
PatientDAO:
public List<Patient> indexFilter(String attribute, String condition)
throws Exception {
open();
ps = con.prepareStatement("SELECT * FROM patients WHERE ? like ? ORDER BY id");
ps.setString(1, attribute);
ps.setString(2, "%" + condition + "%");
rs = ps.executeQuery();
List<Patient> list = new ArrayList<Patient>();
while (rs.next())
list.add(newPatientSetted());
ps.close();
close();
return list;
}
private Patient newPatientSetted() throws Exception {
return new Patient(rs.getInt(1), rs.getString(2), rs.getString(3),
rs.getString(4), rs.getString(5), rs.getDate(6), rs
.getString(7).equals("M") ? Gender.M : Gender.F);
}
所以,我有一个问题,我不知道但是查询没有返回任何内容(我在 DAO 中调试并且它没有加入 while 循环 - 换句话说,结果集没有 next() ), 我究竟做错了什么?如果我删除“?”在 "Where" 并手动添加属性后,LIKE 运算符起作用。
SQL参数只允许出现在有意义的地方'value'。被拒绝代替 table 或列。
"SELECT * FROM patients WHERE ? like ? ORDER BY id" -- bad, field 'substitution' is not alowed
"SELECT * FROM ? WHERE id like ? ORDER BY id" -- bad, column is not alowed
"SELECT * FROM patients WHERE Name like ? ORDER BY id" -- OK,
背景。让我们想象一下 sql 服务器准备查询以达到更高的速度。无法对未知列或字段进行优化。它唯一的图像可以更好地理解。
严格:被标准拒绝。
编辑:扩展答案,如何实现你的目标:
String qry = "SELECT * FROM patients WHERE "+attribute +" like ? ORDER BY id";
ps = con.prepareStatement(qry);
ps.setString(1, "%" + condition + "%");
rs = ps.executeQuery();
当你准备一个语句时,数据库会构建一个执行计划,如果 table 或列不存在,它就无法执行。换句话说,placehodlers 只能用于 values 而不能用于对象名称或保留字。在这种情况下,您必须依靠 Java 来构造您的字符串
String sql = "SELECT * FROM patients WHERE "+attribute+" like ? ORDER BY id ";
ps = con.prepareStatement(sql);
ps.setString(1, "%" + condition + "%");
rs = ps.executeQuery();