与Java中的String.Format()等效
[英]equivalent of String.Format() in Java
问题描述
I have this peace of code : 
我有这种和平的代码:
String query = "SELECT * FROM utilisateurs WHERE pseudo = '" + pseudo.getText()+ "' AND password = '" + new String(password.getPassword()) + "'";
My question is : isn't there any other method to concat these variables with the string ? 我的问题是:是否还有其他方法可以用字符串连接这些变量?
In C# I was using the method String.Format() method as : 在C#中,我将String.Format()方法用作:
String query = String.Format("SELECT * FROM utilisateurs WHERE pseudo = '{0}' AND password = '{1}'", pseudo.getText(), new String(password.getPassword()));
4 个解决方案
解决方案1
17 已采纳 2013-05-14 20:50:20
String.format() can be used to format Strings, Javadoc . String.format()可用于格式化Javadoc字符串。
public static String format(String format, Object... args)
Returns a formatted string using the specified format string and arguments.
However when it comes to building SQL query strings the preferred way is to use PreparedStatement ( Javadoc ) as it: 但是,在构建SQL查询字符串时,首选方法是使用PreparedStatement ( Javadoc ):
- protects you from SQL injection 保护您免受SQL注入
- allows the database to cache your query (build the query plan once) 允许数据库缓存您的查询(一次构建查询计划)
Your code using a PreparedStatement might look like below: 使用PreparedStatement代码可能如下所示:
final PreparedStatement pstmt = con.prepareStatement(
"SELECT * FROM utilisateurs WHERE pseudo = ? AND password = ?");
pstmt.setString(1, pseudo.getText());
pstmt.setString(2, new String(password.getPassword()));
final ResultSet rs = pstmt.executeQuery();
解决方案2
4 2013-05-14 20:54:02
As others have said, String.format is the direct equivalent, but you should use a PreparedStatement instead. 正如其他人所说, String.format是直接等效的,但是您应该改用PreparedStatement 。 From the documentation : 从文档中 :
In the following example of setting a parameter, con represents an active connection:
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET SALARY = ? WHERE ID = ?"); pstmt.setBigDecimal(1, 153833.00) pstmt.setInt(2, 110592)
Using a PreparedStatement instead of String.format will protect your code from SQL injection. 使用PreparedStatement而不是String.format将保护您的代码免于SQL注入。
解决方案3
1 2013-05-14 20:52:57
Java has similar method to format your strings. Java具有类似的格式化字符串的方法 。 String.format()
However, if you choose to use PreparedStatement , you can read the documentation here 但是,如果您选择使用PreparedStatement ,则可以在此处阅读文档。
From the documentation: 从文档中:
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET SALARY = ? WHERE ID = ?");
pstmt.setBigDecimal(1, 153833.00)
pstmt.setInt(2, 110592)
解决方案4
0 2013-05-14 20:57:29
To answer your question directly, as others have mentioned as well, use String.Format, here is a good resource for that: How to use java.String.format in Scala? 正如其他人也提到的那样,要直接回答您的问题,请使用String.Format,这是一个很好的资源: 如何在Scala中使用java.String.format? . 。
However, in this particular example, the real answer is not to do string substitution, but to use arguments in the SQL statement. 但是,在此特定示例中,真正的答案不是执行字符串替换,而是在SQL语句中使用参数。
Something like: 就像是:
query =
String query = "SELECT * FROM utilisateurs WHERE pseudo = ? AND password = ?";
PreparedStatement ps = connection.prepareStatement(query);
ps.setString(1, pseudo.getText());
ps.setString(2, password.getPassword());
ResultSet rs = ps.executeQuery();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.