ResultSet中的getString带空格 [英] getString from ResultSet with spaces
问题描述
我正在使用Servlet/JSP管理JDBC数据库,并且我在表中拥有的属性之一是字符串,单词之间可能有空格,也可能没有空格.我有一个JSP可以显示所有信息,而另一个JSP可以显示所有信息,我都执行getString
到ResultSet
,而当我只显示它时,它可以正常工作,但是在编辑JSP上,它只能抓取"空格前的第一个单词和其余字符串消失.这是代码的一部分:
I'm managing a JDBC database with Servlets/JSPs and one of the attributes I have in a table is a string which may or may not have spaces in between words. I have one JSP to display all the information and another one to edit it, on both I perform getString
to a ResultSet
and when I'm just displaying it it works fine, but on the edit JSP it only "grabs" the first word before the space and the rest of the string disappears. Here's part of the code:
PerfilUsuarioConectado.jsp (我用来显示数据的那个)
PerfilUsuarioConectado.jsp (the one I use to display the data)
<%
Connection conexion = DriverManager.getConnection("jdbc:odbc:gasteizcar", "", "");
Statement set = conexion.createStatement();
ResultSet rs = set.executeQuery("SELECT * FROM Usuario WHERE correoElectronico ='" + session.getAttribute("username") + "'");
rs.next();
%>
<div id="principal">
<table border="1" align="center">
<tr>
<td> Nombre: </td>
<td> <%= rs.getString("nombre")%>
</tr>
<tr>
<td> Apellidos: </td>
<td> <%= rs.getString("apellidos")%>
</tr>
<tr>
<td> E-mail: </td>
<td> <%= rs.getString("correoElectronico")%>
</tr>
<tr>
<td> Alias: </td>
<td> <%= rs.getString("alias")%>
</tr>
<tr>
<td> Nº móvil: </td>
<td> <%= rs.getString("movil")%>
</tr>
<tr>
<td> Coche: </td>
<td> <%= rs.getString("marca") + " " + rs.getString("modelo") + " " + rs.getString("color")%>
</tr>
</table>
</div>
ModificarDatos.jsp (用于编辑数据的人)
ModificarDatos.jsp (the one to edit the data)
<%
Connection conexion = DriverManager.getConnection("jdbc:odbc:gasteizcar", "", "");
Statement set = conexion.createStatement();
ResultSet rs = set.executeQuery("SELECT * FROM Usuario WHERE correoElectronico ='"
+ session.getAttribute("username") + "'");
int i = 0;
rs.next();
String marca = rs.getString("marca");
String modelo = rs.getString("modelo");
String color = rs.getString("color");
String movil = rs.getString("movil");
%>
<div id="principal">
<form id="datos" action="ModificarDatos" method="post">
<table border="1" align="center">
<tr>
<td> * Verificar con contraseña: </td>
<td> <input pattern="[a-zA-Z0-9 ]{3,12}" type="password" id="password" name="password" required></td>
</tr>
<tr>
<td> ** Nueva contraseña: </td>
<td> <input pattern="[a-zA-Z0-9 ]{3,12}" type="password" id="nuevaContrasenia" name="nuevaContrasenia"> </td>
</tr>
<tr>
<td> ** Repita la contraseña: </td>
<td> <input pattern="[a-zA-Z0-9 ]{3,12}" type="password" id="repContrasenia" name="repContrasenia"> </td>
</tr>
<tr>
<td> * Nº de móvil: </td>
<td> <input pattern="[0-9]{9}" type="text" name="movil" id="movil" required value=<%= movil%>> </td>
</tr>
<tr>
<td> *** Marca del coche: </td>
<td> <input type="text" name="marca" id="marca" value=<%= marca%>> </td>
</tr>
<tr>
<td> *** Modelo del coche: </td>
<td> <input type="text" name="modelo" id="modelo" value=<%= modelo%>> </td>
</tr>
<tr>
<td> *** Color: </td>
<td> <input type="text" name="color" id="color" value=<%= color%>> </td>
</tr>
</table>
</div>
<input type="button" id="bActualizar" value="Actualizar datos">
所以,如果有人能告诉我为什么getString
方法在两种情况下表现不同的话,我将非常感激.
So, if anyone can tell me why does the getString
method perform differently in both situations I'd be really grateful.
推荐答案
这些行中的错误:
<input pattern="[0-9]{9}" type="text" name="movil" id="movil" required value=<%= movil%>>
如果您的变量movil
包含abc def
,则生成的HTML将是这样:
If your variable movil
contains abc def
, say, then the HTML generated will be this:
<input pattern="[0-9]{9}" type="text" name="movil" id="movil" required value=abc def>
然后将输入的值设置为abc
并创建另一个属性def
,该属性将不会被识别并将被忽略.实际上,Stack Overflow上突出显示的Markdown语法指出了这一点:abc
为蓝色,代表值,def
为红色,代表属性名.
This then sets the value of the input to abc
and creates another attribute def
, which isn't recognised and will be ignored. In fact, the Markdown syntax highlighting on Stack Overflow points this out: abc
is blue, for a value, and def
is red, for an attribute name.
至少,您需要在<%= movil %>
周围加上引号:
At the very least, you need to put quotes around the <%= movil %>
:
<input pattern="[0-9]{9}" type="text" name="movil" id="movil" required value="<%= movil%>">
如果movil
包含abc def
,这一次的输出将是
If movil
contains abc def
, this time, the output will be
<input pattern="[0-9]{9}" type="text" name="movil" id="movil" required value="abc def">
现在您可以看到该值已正确写入.
Now you can see that the value has been written correctly.
除此之外,我还想发表几条评论:
Aside from this, there are a further couple of comments I'd like to make:
-
首先,您的代码容易受到 SQL注入的攻击.如果您的
username
会话变量以类似test' OR 1=1 --
的形式结束,则将返回数据库中的所有结果.更糟糕的是,如果类似test'; DROP TABLE Usuario;--
之类的内容,则可能会丢失数据.改为使用 PreparedStatements .
Firstly, your code is vulnerable to SQL injection. If your
username
session variable ends up as something liketest' OR 1=1 --
, all results from the database will be returned. Worse still, if it is something liketest'; DROP TABLE Usuario;--
, you could lose data. Use PreparedStatements instead.
第二,正如Aniket在评论中指出的那样,您真的不应再在JSP中使用scriptlet <% ... %>
.相反,您应该使用JSTL标签和EL表达式. 由Aniket链接的问题是一个很好的起点.
Secondly, as pointed out by Aniket in a comment, you really shouldn't be using scriptlets <% ... %>
in JSPs any more. Instead, you should be using JSTL tags and EL expressions. The question linked to by Aniket is a good place to start.
我很高兴这可能是您的第一个JSP应用程序.但是,一旦它开始起作用,我建议您考虑进行这些更改.
I appreciate this may be your first JSP application. Once you've got it working, however, I'd recommend that you consider making these changes.
这篇关于ResultSet中的getString带空格的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!