Reputation: 23
Cannot delete a record in JDBC
Hello I am trying to create some pages for a school project. The whole topic is about creating,deleting,searching,updating destinations for vacation. I have a problem in deleting a record. I have created an html page with a form in order to receive the name of the destination that you want to delete. Next there is the code of java page i have created. Do you see anything wrong? Because whatever I am trying the record won't be deleted. Thanks
HTML PAGE
<html>
<head>
<title>Delete</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
<h1 align="center">Insert the destination you want to delete</h1>
<form action="delete.jsp" method="post">
<input type="text" name="delete">
<BR>
<INPUT TYPE="SUBMIT" value="Delete!">
</form>
</body>
</html>
JAVA PAGE:
<%@page contentType="text/html" pageEncoding="UTF-8"%>
<%@page import="java.sql.*" %>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Delete</title>
</head>
<body>
<%
String name=request.getParameter("name");
Class.forName("com.mysql.jdbc.Driver");
java.sql.Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/vac",
"user","pass");
Statement myStatement=con.createStatement();
String SQLstring="DELETE FROM dest WHERE name= '" +name+ "'";
myStatement.executeUpdate(SQLstring);
myStatement.close();
con.close();
out.println("Destination deleted!");
%>
</body>
</html>
Upvotes: 0
Views: 1072
Answers (2)
Reputation: 21047
As noted by Antonio Martinez's answer, the parameter name was incorrect (it's not name but delete). I feel I must post this answer to point out the SQL Injection risk your code shows.
You should never build a query the way you're doing (taking outside parameters to build the statement), because it can allow the injection of rogue code. You should always use prepared statements to deal with users' input:
String sqlString = "delete from dest where name=?";
/* The question-mark is a place holder for the parameter.
Notice that you don't need to enclose it in quotes,
the prepared statement will take care about that. */
PreparedStatement ps = con.prepareStatement(sqlString);
/* Notice that nothing is executed here: you're only preparing the
statement using the SQL string (which includes the place-holder(s)
for the parameter(s). */
ps.setString(1, delete)
/* Here you assign the parameter(s) value(s) to the prepared statement.
The parameters are numbered starting from one, and ordered
the way they appear in your SQL string.
The setXXX() methods of the prepared statement allow you to
pass the correct value to the query. Strings, in this case, are
properly handled, so any rogue code the user might try to inject will
not pass as "executable code", but simply as a string. */
ps.execute();
Again, I advice you read here to learn about SQL injection attacks: What they are, what is the risk posed by them and how to prevent them.
Upvotes: 0
Reputation: 51
I think the parameter name is "delete", no "name", according to the form input name.
Regards.
Upvotes: 3
Related Questions
- How to get the insert ID in JDBC?
- How to delete a record in Django models?
- Delete with Join in MySQL
- Retrieving the last record in each group - MySQL
- MySQL JDBC Driver 5.1.33 - Time Zone Issue
- Must JDBC Resultsets and Statements be closed separately although the Connection is closed afterwards?
- How can I delete using INNER JOIN with SQL Server?
- To prevent a memory leak, the JDBC Driver has been forcibly unregistered
- Swedish characters encoded wrong on Google App Engine