0
을 작동하지 않습니다 얻을 나의 JSP 페이지나는 음악의 응용 프로그램에 대한 설정을 JSP와 자바 콩을 store.but 사용하고 방법은 여기
<%@ page import="java.sql.Connection"%>
<%@ page import="java.sql.DriverManager"%>
<%@ page import="java.util.ArrayList"%>
<%@ page import="java.sql.ResultSet"%>
<%@ page import="Mybean.Bean"%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Music Store</title>
</head>
<jsp:useBean id="bn" scope="page" class="Mybean.Bean" type="Bean"/>
<jsp:setProperty name="bn" property="searchbox" />
<body style="text-align:center" bgcolor="teal">
<h1>Welcome to Music Store</h1>
<hr align="center" size="3" style="background-color:silver" width="80%">
<br>
<form action="index.jsp" method="post">
<A HREF="Albums.jsp">All Albums</A>
<font face="Verdana" size="3" style="font-weight:bold">Search</font>
<select id="ddList" name="ddList">
<option id="op1" value="Album">Album</option>
<option id="op2" value="Song">Song</option>
<option id="op3" value="Artist">Artist</option>
</select>
<input type="text" name="searchBox" size="50" value="">
<input type="submit" value="Go"><br><br>
</form>
<div name="asshole"></div>
<div align="center" style="background-color:teal;">
<h3>Search Result</h3>
<table style="border:blue;" bgcolor="silver" border="3" cellpadding="0" cellspacing="0">
<%
if(request.getMethod().equalsIgnoreCase("post")){
//out.println("yeah am here");
try {
Connection cn = null;
Class.forName("com.mysql.jdbc.Driver");
String serverName = "localhost";
String mydatabase = "musicstore";
String url = "jdbc:mysql://" + serverName + "/" + mydatabase; // a JDBC url
String username = "root";
String password = "root";
String albumnme="",songnme="",artistnme="";
String searchType = request.getParameter("ddList");
//out.println("search type: "+searchType);
cn = DriverManager.getConnection(url, username, password);
try {
java.sql.Statement stmt = cn.createStatement();
java.sql.Statement stmt1 = cn.createStatement();
java.sql.Statement stmt2 = cn.createStatement();
ResultSet rs = null;
if(searchType.equals("Album")){
%>
<tr bgcolor="#662835"><td width="150">Song</td><td width="150">Artist</td></tr>
<%
rs = stmt.executeQuery("SELECT songsinfo.songtitle,artistinfo.artistName FROM albuminfo,songsinfo,artistinfo where albuminfo.albumtitle = '"+bn.getSearchbox()+"' AND songsinfo.albumID = albuminfo.albumID AND songsinfo.songid = artistinfo.songID");
while (rs.next()) {
if(!rs.getString(1).equalsIgnoreCase(songnme)){
%>
<tr>
<td><%out.println(rs.getString(1));%></td>
<td><%out.println(rs.getString(2));%>
<%
}
else if(!rs.getString(2).equalsIgnoreCase(artistnme)){
%>
,<%out.println(rs.getString(2));%>
<%
}
else{
%>
</td>
</tr>
<%
}
songnme = rs.getString(1);
artistnme = rs.getString(2);
}
}
else if(searchType.equals("Song")){//out.println("hey2");
%>
<tr bgcolor="#662835"><%--<td width="150">Song</td>--%><td width="150">Album</td><td width="150">Artist</td></tr>
<jsp:getProperty name="bn" property="searchbox" />
<%
rs = stmt.executeQuery("SELECT songsinfo.songid,artistinfo.artistName,albuminfo.albumtitle FROM songsinfo,artistinfo,albuminfo WHERE songsinfo.songtitle ='"+bn.getSearchbox()+"' AND songsinfo.songid =artistinfo.songId AND songsinfo.albumid = albuminfo.albumID;");
while (rs.next()) {
//artistnme = artistnme + rs.getString(2) + ",";
//albmnme = rs.getString(3);
if(!rs.getString(3).equalsIgnoreCase(albumnme)){
%>
<tr>
<%--<td><%out.println(rs.getString(1));%></td>--%>
<td><%out.println(rs.getString(3));%></td>
<td><%out.println(rs.getString(2));%>
<%
}
else if(!rs.getString(2).equalsIgnoreCase(artistnme)){
%>
,<%out.println(rs.getString(2));%>
<%
}
else{
%>
</td>
</tr>
<%
}
albumnme = rs.getString(3);
artistnme = rs.getString(2);
}
//out.println("album name ="+albmnme);
//out.println("song name ="+searchText);
//out.println("artist name ="+artistnme);
}
else if(searchType.equals("Artist")){//out.println("hey3");
%>
<tr bgcolor="#662835"><td width="150">Album</td><td width="150">Song</td></tr>
<%
rs = stmt.executeQuery("SELECT albuminfo.albumtitle,songsinfo.songtitle,artistinfo.artistName FROM albuminfo,songsinfo,artistinfo where artistinfo.artistName ='"+bn.getSearchbox()+"' AND songsinfo.songid = artistinfo.songId AND albuminfo.albumid = artistinfo.albumID");
while (rs.next()) {
//albmnme = rs.getString(1);
//songnme = songnme + rs.getString(2) +",";
//artistnme = artistnme + rs.getString(3) + ",";
if(!rs.getString(1).equalsIgnoreCase(albumnme)){
%>
<tr>
<td><%out.println(rs.getString(1));%></td>
<td><%out.println(rs.getString(2));%><%
}
else if(!rs.getString(2).equalsIgnoreCase(songnme)){
%>
<%out.println(rs.getString(2));%>
<%
}
else{
%>
</td>
</tr>
<%
}
albumnme = rs.getString(1);
songnme = rs.getString(2);
}
//out.println("album name ="+searchText);
//out.println("song name ="+songnme);
//out.println("artist name ="+artistnme);
}
//ResultSet rs = stmt.executeQuery("SELECT * FROM albuminfo where albumtitle='"+searchText+"'");
stmt.close();
} catch (Exception e) {
System.out.println("sorry no data found");
}
} catch (Exception e) {
out.println(e);
}
}
%>
</table>
</div>
</body>
</html>
을 heres 내 빈 클래스입니다
package Mybean;
public class Bean
{
private String searchbox;
public String getSearchbox() {
return searchbox;
}
public void setSearchbox(String searchbox) {
System.out.println("inside set");
this.searchbox = searchbox;
}
}
"SQL 삽입"및 "교차 사이트 스크립팅"과 같은 주제로 자신을 교육하십시오. 공개적으로 액세스 할 수있는 웹 응용 프로그램을 만들 때 그만한 가치가 있습니다. –
Roland Illing의 의미는 요청 문자열을 직접 작성하는 대신 PreparedStatment를 사용해야한다는 것입니다. –
코드는 실제로 끔찍하지만 음악 상점은 일반적인 숙제/자기 관리 응용 프로그램입니다. 이러한 보안 교훈과 적절한 리소스 처리 (이 코드는 몇 시간을 집중적으로 실행 한 후에 충돌합니다.) 및 깨끗한 코드 분리 (컨트롤러, 도메인 및 DAO 클래스가 없음)는 나중에 (잘하면) 교육 또는 책. @Xavier :'PreparedStatement'는 XSS 공격이 아닌 SQL 주입 공격 만 방지합니다. – BalusC