[英]equivalent of String.Format() in Java
I have this peace of code : 我有这种和平的代码:
String query = "SELECT * FROM utilisateurs WHERE pseudo = '" + pseudo.getText()+ "' AND password = '" + new String(password.getPassword()) + "'";
My question is : isn't there any other method to concat these variables with the string ? 我的问题是:是否还有其他方法可以用字符串连接这些变量?
In C# I was using the method String.Format() method as : 在C#中,我将String.Format()方法用作:
String query = String.Format("SELECT * FROM utilisateurs WHERE pseudo = '{0}' AND password = '{1}'", pseudo.getText(), new String(password.getPassword()));
String.format()
can be used to format Strings, Javadoc . String.format()
可用于格式化Javadoc字符串。
public static String format(String format, Object... args)
Returns a formatted string using the specified format string and arguments.
使用指定的格式字符串和参数返回格式化的字符串。
However when it comes to building SQL query strings the preferred way is to use PreparedStatement
( Javadoc ) as it: 但是,在构建SQL查询字符串时,首选方法是使用
PreparedStatement
( Javadoc ):
Your code using a PreparedStatement
might look like below: 使用
PreparedStatement
代码可能如下所示:
final PreparedStatement pstmt = con.prepareStatement(
"SELECT * FROM utilisateurs WHERE pseudo = ? AND password = ?");
pstmt.setString(1, pseudo.getText());
pstmt.setString(2, new String(password.getPassword()));
final ResultSet rs = pstmt.executeQuery();
As others have said, String.format
is the direct equivalent, but you should use a PreparedStatement
instead. 正如其他人所说,
String.format
是直接等效的,但是您应该改用PreparedStatement
。 From the documentation : 从文档中 :
In the following example of setting a parameter, con represents an active connection:
在以下设置参数的示例中,con表示活动连接:
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET SALARY = ? WHERE ID = ?"); pstmt.setBigDecimal(1, 153833.00) pstmt.setInt(2, 110592)
Using a PreparedStatement
instead of String.format
will protect your code from SQL injection. 使用
PreparedStatement
而不是String.format
将保护您的代码免于SQL注入。
Java has similar method to format your strings. Java具有类似的格式化字符串的方法 。
String.format()
However, if you choose to use PreparedStatement
, you can read the documentation here 但是,如果您选择使用
PreparedStatement
,则可以在此处阅读文档。
From the documentation: 从文档中:
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET SALARY = ? WHERE ID = ?");
pstmt.setBigDecimal(1, 153833.00)
pstmt.setInt(2, 110592)
To answer your question directly, as others have mentioned as well, use String.Format, here is a good resource for that: How to use java.String.format in Scala? 正如其他人也提到的那样,要直接回答您的问题,请使用String.Format,这是一个很好的资源: 如何在Scala中使用java.String.format? .
。
However, in this particular example, the real answer is not to do string substitution, but to use arguments in the SQL statement. 但是,在此特定示例中,真正的答案不是执行字符串替换,而是在SQL语句中使用参数。
Something like: 就像是:
query =
String query = "SELECT * FROM utilisateurs WHERE pseudo = ? AND password = ?";
PreparedStatement ps = connection.prepareStatement(query);
ps.setString(1, pseudo.getText());
ps.setString(2, password.getPassword());
ResultSet rs = ps.executeQuery();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.