带有变量的Java JDBC Query?
String poster = "user"; Statement stmt = con.createStatement(); ResultSet rs = stmt.executeQuery("SELECT * FROM `prices` WHERE `poster`="+poster);
这不起作用。任何提示或技巧将不胜感激。
您需要准备好的声明,请查看本教程。
尝试用单引号包围poster
变量,如下所示:
ResultSet rs = stmt.executeQuery("SELECT * FROM `prices` WHERE `poster`='"+poster+"'");
那是因为SQL期望字符串被单引号括起来。 更好的选择是使用准备好的陈述:
PreparedStatement stmt = con.prepareStatement("SELECT * FROM `prices` WHERE `poster` = ?"); stmt.setString(1, poster); ResultSet rs = stmt.executeQuery();
建议使用PreparedStatement
因为您当前构建查询的方式(通过连接字符串)使攻击者可以轻松地在查询中注入任意SQL代码,这是一种称为SQL注入的安全威胁。
1)通常,要“参数化”您的查询(或更新),您将使用JDBC“预处理语句”:
2)但是,在您的情况下,我认为您需要做的就是添加引号(并丢失后引号):
// This is fine: no back-quotes needed ResultSet rs = stmt.executeQuery("SELECT * FROM prices"); // Since the value for "poster" is a string, you need to quote it: String poster = "user"; Statement stmt = con.createStatement(); ResultSet rs = stmt.executeQuery("SELECT * FROM prices WHERE poster='" + poster + "'");
Statement接口只允许您执行不带参数的简单SQL语句。 您需要使用PreparedStatement。
PreparedStatement pstmt = con.prepareStatement(" select * from prices where poster = ?"); pstmt.setString(1, poster); ResultSet results = ps.executeQuery();